WellMess

Malware updated 4 months ago (2024-05-04T21:18:13.302Z)
Download STIX
Preview STIX
The WellMess malware, first reported by LAC and JPCERT in mid-2018, is a malicious software that stores the Command and Control (C2) IP addresses it uses in the binary as plaintext URLs. The C2 has limited functionality to relay information between itself, the WellMess backdoor, and presumably a further threat actor-controlled machine. This malware, along with its C2 software, enables threat actors to interact with victims in an offline manner and with a level of abstraction between the threat actor and the malicious software. Interestingly, the implementation details of Seaduke, another malware, share some similarities with WellMess, particularly in their use of encrypted cookies for metadata transfer and obfuscated base64 data in HTTP requests for communication contents. In July 2020, the U.S., U.K., and Canadian Governments jointly published an advisory revealing the Russian Foreign Intelligence Service's (SVR) exploitation of Common Vulnerabilities and Exposures (CVEs) to gain initial access to networks. They deployed custom malware known as WellMess, WellMail, and Sorefang to target organizations involved in COVID-19 vaccine development. GRAVITYWELL, the Recorded Future designation for server technology and TLS certificate configuration commonly used to host the SVR-linked WellMess backdoor, exemplifies such transient infrastructure. While there isn't definitive evidence tying WellMess to a specific threat actor, it shares design similarities with a previous tool called Seaduke, used by Blue Kitsune (also known as APT29), to whom the National Cyber Security Centre (NCSC) has publicly attributed WellMess. The operation of the WellMess server as an intermediate C2 aligns with the Seaduke model of using compromised third-party websites or infrastructure to host C2 servers. These act as staging environments to store commands and responses between the threat actor and the backdoor. The inclusion of mutual TLS in HTTPS communications with a self-signed CA ensures secure communication, preventing potential person-in-the-middle attacks on traffic between the server and the WellMess backdoor.
Description last updated: 2024-05-04T21:15:02.558Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Exploit
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
APT29Unspecified
2
APT29, also known as Cozy Bear, Nobelium, The Dukes, Midnight Blizzard, BlueBravo, and the SVR group, is a Russia-linked threat actor notorious for its malicious cyber activities. In November 2023, this entity exploited a zero-day vulnerability in WinRAR software to launch attacks against various em
Source Document References
Information about the WellMess Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CISA
9 months ago
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally | CISA
MITRE
9 months ago
WellMess malware: analysis of its Command and Control (C2) server
MITRE
2 years ago
How WellMess malware has been used to target COVID-19 vaccines
MITRE
2 years ago
MAR-10296782-3.v1 – WELLMAIL | CISA
MITRE
2 years ago
MAR-10296782-1.v1 – SOREFANG | CISA
Recorded Future
2 years ago
2022 Adversary Infrastructure Report