Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. WellMess

WellMess

WellMess is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by APT29.[1][2][3]

ID: S0514
Type: MALWARE
Platforms: Windows
Contributors: Daniyal Naeem, @Mrdaniyalnaeem
Version: 1.0
Created: 24 September 2020
Last Modified: 09 October 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .004 Application Layer Protocol: DNS

WellMess has the ability to use DNS tunneling for C2 communications.[2][3]
.001 Application Layer Protocol: Web Protocols

WellMess can use HTTP and HTTPS in C2 communications.[2][4][1][3]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

WellMess can execute command line scripts received from C2.[2]
.001 Command and Scripting Interpreter: PowerShell

WellMess can execute PowerShell scripts received from C2.[2][1]
Enterprise T1132 .001 Data Encoding: Standard Encoding

WellMess has used Base64 encoding to uniquely identify communication to and from the C2.[1]
Enterprise T1005 Data from Local System

WellMess can send files from the victim machine to C2.[2][1]
Enterprise T1001 .001 Data Obfuscation: Junk Data

WellMess can use junk data in the Base64 string for additional obfuscation.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

WellMess can decode and decrypt data received from C2.[2][4][1]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

WellMess can encrypt HTTP POST data using RC6 and a dynamically generated AES key encrypted with a hard coded RSA public key.[2][4][1]
.002 Encrypted Channel: Asymmetric Cryptography

WellMess can communicate to C2 with mutual TLS where client and server mutually check certificates.[2][4][1][3]
Enterprise T1105 Ingress Tool Transfer

WellMess can write files to a compromised host.[2][1]
Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

WellMess can identify domain group membership for the current user.[1]
Enterprise T1082 System Information Discovery

WellMess can identify the computer name of a compromised host.[2][1]
Enterprise T1016 System Network Configuration Discovery

WellMess can identify the IP address and user domain on the target machine.[2][1]
Enterprise T1033 System Owner/User Discovery

WellMess can collect the username on the victim machine to send to C2.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[2][4][1][3]

References

  1. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
  2. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  1. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
  2. PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.