SYMBOLCOMMON_NAMEaka. SYNONYMS
win.wellmess (Back to overview)

WellMess


WellMess is A Remote Access Trojan written in GoLang and .NET. It has hard-coded User-Agents. Attackers deploy WellMess using separate tools which also allow lateral movement, for example "gost". Command and Control traffic is handled via HTTP using the Set-Cookie field and message body.

References
2021-07-30RiskIQTeam Atlas
@online{atlas:20210730:bear:04ae603, author = {Team Atlas}, title = {{Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers}}, date = {2021-07-30}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/541a465f/description}, language = {English}, urldate = {2021-08-02} } Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers
elf.wellmess WellMess
2021-07-27BlackberryBlackBerry Research & Intelligence Team
@techreport{team:20210727:old:3060d53, author = {BlackBerry Research & Intelligence Team}, title = {{Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages}}, date = {2021-07-27}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf}, language = {English}, urldate = {2021-07-27} } Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy
2021-04-26CISACISA, FBI, Department of Homeland Security
@techreport{cisa:20210426:russian:0ef89c2, author = {CISA and FBI and Department of Homeland Security}, title = {{Russian Foreign Intelligence Service (SVR)Cyber Operations: Trends and Best Practices for Network Defenders}}, date = {2021-04-26}, institution = {CISA}, url = {https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf}, language = {English}, urldate = {2021-04-29} } Russian Foreign Intelligence Service (SVR)Cyber Operations: Trends and Best Practices for Network Defenders
elf.wellmess WellMess
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-25IntezerIntezer
@techreport{intezer:20210225:year:eb47cd1, author = {Intezer}, title = {{Year of the Gopher A 2020 Go Malware Round-Up}}, date = {2021-02-25}, institution = {Intezer}, url = {https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf}, language = {English}, urldate = {2021-06-30} } Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-08-13Talos IntelligenceMartin Lee, Paul Rascagnères, Vitor Ventura
@online{lee:20200813:attribution:ced59ff, author = {Martin Lee and Paul Rascagnères and Vitor Ventura}, title = {{Attribution: A Puzzle}}, date = {2020-08-13}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/08/attribution-puzzle.html}, language = {English}, urldate = {2020-08-14} } Attribution: A Puzzle
WellMail elf.wellmess AcidBox WellMess
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-16NCSC UKNCSC UK
@techreport{uk:20200716:advisory:d2a121d, author = {NCSC UK}, title = {{Advisory: APT29 targets COVID-19 vaccine development}}, date = {2020-07-16}, institution = {NCSC UK}, url = {https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf}, language = {English}, urldate = {2020-09-01} } Advisory: APT29 targets COVID-19 vaccine development
WellMail elf.wellmess SoreFang WellMess
2020-07-16PWC UKPWC UK
@online{uk:20200716:how:8504d30, author = {PWC UK}, title = {{How WellMess malware has been used to target Covid-19 vaccines}}, date = {2020-07-16}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html}, language = {English}, urldate = {2020-07-17} } How WellMess malware has been used to target Covid-19 vaccines
elf.wellmess WellMess
2020-07-16CISAUS-CERT
@online{uscert:20200716:malware:539b015, author = {US-CERT}, title = {{Malware Analysis Report (AR20-198B)}}, date = {2020-07-16}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b}, language = {English}, urldate = {2020-07-20} } Malware Analysis Report (AR20-198B)
WellMess
2020-05-26CISAUS-CERT
@online{uscert:20200526:alert:ee61285, author = {US-CERT}, title = {{Alert (AA21-116A): Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders}}, date = {2020-05-26}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-116a}, language = {English}, urldate = {2021-06-09} } Alert (AA21-116A): Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders
elf.wellmess WellMess
2018-12-01BotconfYoshihiro Ishikawa, Shinichi Nagano
@techreport{ishikawa:20181201:lets:73b0c60, author = {Yoshihiro Ishikawa and Shinichi Nagano}, title = {{Let's go with a Go RAT!}}, date = {2018-12-01}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf}, language = {English}, urldate = {2020-04-28} } Let's go with a Go RAT!
elf.wellmess WellMess
2018-07-06JPCERT/CCShusei Tomonaga
@online{tomonaga:20180706:malware:dc21b83, author = {Shusei Tomonaga}, title = {{Malware “WellMess” Targeting Linux and Windows}}, date = {2018-07-06}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html}, language = {English}, urldate = {2020-07-17} } Malware “WellMess” Targeting Linux and Windows
elf.wellmess WellMess
2018-07-06JPCERT/CCShusei Tomonaga
@online{tomonaga:20180706:malware:f40637b, author = {Shusei Tomonaga}, title = {{Malware “WellMess” Targeting Linux and Windows}}, date = {2018-07-06}, organization = {JPCERT/CC}, url = {https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html}, language = {English}, urldate = {2020-01-06} } Malware “WellMess” Targeting Linux and Windows
WellMess
2018-06-14LACCyber ​​Emergency Center
@techreport{center:20180614:cyber:b2150a3, author = {Cyber ​​Emergency Center}, title = {{Cyber ​​Emergency Center Report No. 3}}, date = {2018-06-14}, institution = {LAC}, url = {https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf}, language = {English}, urldate = {2020-07-20} } Cyber ​​Emergency Center Report No. 3
WellMess
Yara Rules
[TLP:WHITE] win_wellmess_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_wellmess_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eba1 48 89f0 48 89ce eb8a 48 }
            // n = 7, score = 100
            //   eba1                 | jmp                 0xffffffa3
            //   48                   | dec                 eax
            //   89f0                 | mov                 eax, esi
            //   48                   | dec                 eax
            //   89ce                 | mov                 esi, ecx
            //   eb8a                 | jmp                 0xffffff8c
            //   48                   | dec                 eax

        $sequence_1 = { c744247806000000 48 8b05???????? 48 89442440 48 8d0dfb481a00 }
            // n = 7, score = 100
            //   c744247806000000     | mov                 dword ptr [esp + 0x78], 6
            //   48                   | dec                 eax
            //   8b05????????         |                     
            //   48                   | dec                 eax
            //   89442440             | mov                 dword ptr [esp + 0x40], eax
            //   48                   | dec                 eax
            //   8d0dfb481a00         | lea                 ecx, [0x1a48fb]

        $sequence_2 = { e8???????? 48 8b842490000000 48 8b4c2450 e9???????? 48 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8b842490000000       | mov                 eax, dword ptr [esp + 0x90]
            //   48                   | dec                 eax
            //   8b4c2450             | mov                 ecx, dword ptr [esp + 0x50]
            //   e9????????           |                     
            //   48                   | dec                 eax

        $sequence_3 = { c3 48 89842458010000 48 898c2460010000 48 8bac2428010000 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   48                   | dec                 eax
            //   89842458010000       | mov                 dword ptr [esp + 0x158], eax
            //   48                   | dec                 eax
            //   898c2460010000       | mov                 dword ptr [esp + 0x160], ecx
            //   48                   | dec                 eax
            //   8bac2428010000       | mov                 ebp, dword ptr [esp + 0x128]

        $sequence_4 = { c3 48 8d05ce6e2200 48 890424 48 c744240804000000 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   48                   | dec                 eax
            //   8d05ce6e2200         | lea                 eax, [0x226ece]
            //   48                   | dec                 eax
            //   890424               | mov                 dword ptr [esp], eax
            //   48                   | dec                 eax
            //   c744240804000000     | mov                 dword ptr [esp + 8], 4

        $sequence_5 = { c744246400000000 48 c744246800000000 48 c744247000000000 48 c7c214000000 }
            // n = 7, score = 100
            //   c744246400000000     | mov                 dword ptr [esp + 0x64], 0
            //   48                   | dec                 eax
            //   c744246800000000     | mov                 dword ptr [esp + 0x68], 0
            //   48                   | dec                 eax
            //   c744247000000000     | mov                 dword ptr [esp + 0x70], 0
            //   48                   | dec                 eax
            //   c7c214000000         | mov                 edx, 0x14

        $sequence_6 = { 89ce 7460 81fbe263de7a 750e 48 8d0d8a270a00 48 }
            // n = 7, score = 100
            //   89ce                 | mov                 esi, ecx
            //   7460                 | je                  0x62
            //   81fbe263de7a         | cmp                 ebx, 0x7ade63e2
            //   750e                 | jne                 0x10
            //   48                   | dec                 eax
            //   8d0d8a270a00         | lea                 ecx, [0xa278a]
            //   48                   | dec                 eax

        $sequence_7 = { c3 48 891c24 48 89742408 48 8d054d350b00 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   48                   | dec                 eax
            //   891c24               | mov                 dword ptr [esp], ebx
            //   48                   | dec                 eax
            //   89742408             | mov                 dword ptr [esp + 8], esi
            //   48                   | dec                 eax
            //   8d054d350b00         | lea                 eax, [0xb354d]

        $sequence_8 = { f248 0f2cd1 48 8d5a30 885c0c1c 48 ffc1 }
            // n = 7, score = 100
            //   f248                 | dec                 eax
            //   0f2cd1               | cvttps2pi           mm2, xmm1
            //   48                   | dec                 eax
            //   8d5a30               | lea                 ebx, [edx + 0x30]
            //   885c0c1c             | mov                 byte ptr [esp + ecx + 0x1c], bl
            //   48                   | dec                 eax
            //   ffc1                 | inc                 ecx

        $sequence_9 = { c744245014000000 48 8d0549251e00 48 890424 48 8b4c2438 }
            // n = 7, score = 100
            //   c744245014000000     | mov                 dword ptr [esp + 0x50], 0x14
            //   48                   | dec                 eax
            //   8d0549251e00         | lea                 eax, [0x1e2549]
            //   48                   | dec                 eax
            //   890424               | mov                 dword ptr [esp], eax
            //   48                   | dec                 eax
            //   8b4c2438             | mov                 ecx, dword ptr [esp + 0x38]

    condition:
        7 of them and filesize < 12279808
}
Download all Yara Rules