WellMess

Malware updated 7 months ago (2024-05-04T21:18:13.302Z)

Download STIX

Preview STIX

The WellMess malware, first reported by LAC and JPCERT in mid-2018, is a malicious software that stores the Command and Control (C2) IP addresses it uses in the binary as plaintext URLs. The C2 has limited functionality to relay information between itself, the WellMess backdoor, and presumably a further threat actor-controlled machine. This malware, along with its C2 software, enables threat actors to interact with victims in an offline manner and with a level of abstraction between the threat actor and the malicious software. Interestingly, the implementation details of Seaduke, another malware, share some similarities with WellMess, particularly in their use of encrypted cookies for metadata transfer and obfuscated base64 data in HTTP requests for communication contents. In July 2020, the U.S., U.K., and Canadian Governments jointly published an advisory revealing the Russian Foreign Intelligence Service's (SVR) exploitation of Common Vulnerabilities and Exposures (CVEs) to gain initial access to networks. They deployed custom malware known as WellMess, WellMail, and Sorefang to target organizations involved in COVID-19 vaccine development. GRAVITYWELL, the Recorded Future designation for server technology and TLS certificate configuration commonly used to host the SVR-linked WellMess backdoor, exemplifies such transient infrastructure. While there isn't definitive evidence tying WellMess to a specific threat actor, it shares design similarities with a previous tool called Seaduke, used by Blue Kitsune (also known as APT29), to whom the National Cyber Security Centre (NCSC) has publicly attributed WellMess. The operation of the WellMess server as an intermediate C2 aligns with the Seaduke model of using compromised third-party websites or infrastructure to host C2 servers. These act as staging environments to store commands and responses between the threat actor and the backdoor. The inclusion of mutual TLS in HTTPS communications with a self-signed CA ensures secure communication, preventing potential person-in-the-middle attacks on traffic between the server and the WellMess backdoor.

Description last updated: 2024-05-04T21:15:02.558Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Exploit

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT29 Threat Actor is associated with WellMess. APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw	Unspecified	2

Source Document References

Information about the WellMess Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CISA	a year ago	Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally \| CISA
MITRE	a year ago	WellMess malware: analysis of its Command and Control (C2) server
MITRE	2 years ago	How WellMess malware has been used to target COVID-19 vaccines
MITRE	2 years ago	MAR-10296782-3.v1 – WELLMAIL \| CISA
MITRE	2 years ago	MAR-10296782-1.v1 – SOREFANG \| CISA
Recorded Future	2 years ago	2022 Adversary Infrastructure Report