WellMess (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.wellmess (Back to overview)

WellMess

VTCollection

WellMess is A Remote Access Trojan written in GoLang and .NET. It has hard-coded User-Agents. Attackers deploy WellMess using separate tools which also allow lateral movement, for example "gost". Command and Control traffic is handled via HTTP using the Set-Cookie field and message body.

References

2021-07-30 ⋅ RiskIQ ⋅ Team Atlas
Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers
elf.wellmess WellMess

2021-07-27 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy

2021-04-26 ⋅ CISA ⋅ CISA, Department of Homeland Security, FBI
Russian Foreign Intelligence Service (SVR)Cyber Operations: Trends and Best Practices for Network Defenders
elf.wellmess WellMess

2021-02-28 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team

2021-02-25 ⋅ Intezer ⋅ Intezer
Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy

2020-12-21 ⋅ IronNet ⋅ Adam Hlavek, Kimberly Ortiz
Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess

2020-12-07 ⋅ Censys ⋅ Censys
Advanced Persistent Infrastructure Tracking
WellMess

2020-08-13 ⋅ Talos Intelligence ⋅ Martin Lee, Paul Rascagnères, Vitor Ventura
Attribution: A Puzzle
WellMail elf.wellmess AcidBox WellMess

2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel

2020-07-16 ⋅ NCSC UK ⋅ NCSC UK
Advisory: APT29 targets COVID-19 vaccine development
WellMail elf.wellmess SoreFang WellMess

2020-07-16 ⋅ CISA ⋅ US-CERT
Malware Analysis Report (AR20-198B)
WellMess

2020-07-16 ⋅ PWC UK ⋅ PWC UK
How WellMess malware has been used to target Covid-19 vaccines
elf.wellmess WellMess

2020-05-26 ⋅ CISA ⋅ US-CERT
Alert (AA21-116A): Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders
elf.wellmess WellMess

2018-12-01 ⋅ Botconf ⋅ Shinichi Nagano, Yoshihiro Ishikawa
Let's go with a Go RAT!
elf.wellmess WellMess

2018-07-06 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
Malware “WellMess” Targeting Linux and Windows
WellMess

2018-07-06 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
Malware “WellMess” Targeting Linux and Windows
elf.wellmess WellMess

2018-06-14 ⋅ LAC ⋅ Cyber Emergency Center
Cyber Emergency Center Report No. 3
WellMess

Yara Rules

[TLP:WHITE] win_wellmess_auto (20201014 | autogenerated rule brought to you by yara-signator)

rule win_wellmess_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eba1 48 89f0 48 89ce eb8a 48 }
            // n = 7, score = 100
            //   eba1                 | jmp                 0xffffffa3
            //   48                   | dec                 eax
            //   89f0                 | mov                 eax, esi
            //   48                   | dec                 eax
            //   89ce                 | mov                 esi, ecx
            //   eb8a                 | jmp                 0xffffff8c
            //   48                   | dec                 eax

        $sequence_1 = { c744247806000000 48 8b05???????? 48 89442440 48 8d0dfb481a00 }
            // n = 7, score = 100
            //   c744247806000000     | mov                 dword ptr [esp + 0x78], 6
            //   48                   | dec                 eax
            //   8b05????????         |                     
            //   48                   | dec                 eax
            //   89442440             | mov                 dword ptr [esp + 0x40], eax
            //   48                   | dec                 eax
            //   8d0dfb481a00         | lea                 ecx, [0x1a48fb]

        $sequence_2 = { e8???????? 48 8b842490000000 48 8b4c2450 e9???????? 48 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8b842490000000       | mov                 eax, dword ptr [esp + 0x90]
            //   48                   | dec                 eax
            //   8b4c2450             | mov                 ecx, dword ptr [esp + 0x50]
            //   e9????????           |                     
            //   48                   | dec                 eax

        $sequence_3 = { c3 48 89842458010000 48 898c2460010000 48 8bac2428010000 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   48                   | dec                 eax
            //   89842458010000       | mov                 dword ptr [esp + 0x158], eax
            //   48                   | dec                 eax
            //   898c2460010000       | mov                 dword ptr [esp + 0x160], ecx
            //   48                   | dec                 eax
            //   8bac2428010000       | mov                 ebp, dword ptr [esp + 0x128]

        $sequence_4 = { c3 48 8d05ce6e2200 48 890424 48 c744240804000000 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   48                   | dec                 eax
            //   8d05ce6e2200         | lea                 eax, [0x226ece]
            //   48                   | dec                 eax
            //   890424               | mov                 dword ptr [esp], eax
            //   48                   | dec                 eax
            //   c744240804000000     | mov                 dword ptr [esp + 8], 4

        $sequence_5 = { c744246400000000 48 c744246800000000 48 c744247000000000 48 c7c214000000 }
            // n = 7, score = 100
            //   c744246400000000     | mov                 dword ptr [esp + 0x64], 0
            //   48                   | dec                 eax
            //   c744246800000000     | mov                 dword ptr [esp + 0x68], 0
            //   48                   | dec                 eax
            //   c744247000000000     | mov                 dword ptr [esp + 0x70], 0
            //   48                   | dec                 eax
            //   c7c214000000         | mov                 edx, 0x14

        $sequence_6 = { 89ce 7460 81fbe263de7a 750e 48 8d0d8a270a00 48 }
            // n = 7, score = 100
            //   89ce                 | mov                 esi, ecx
            //   7460                 | je                  0x62
            //   81fbe263de7a         | cmp                 ebx, 0x7ade63e2
            //   750e                 | jne                 0x10
            //   48                   | dec                 eax
            //   8d0d8a270a00         | lea                 ecx, [0xa278a]
            //   48                   | dec                 eax

        $sequence_7 = { c3 48 891c24 48 89742408 48 8d054d350b00 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   48                   | dec                 eax
            //   891c24               | mov                 dword ptr [esp], ebx
            //   48                   | dec                 eax
            //   89742408             | mov                 dword ptr [esp + 8], esi
            //   48                   | dec                 eax
            //   8d054d350b00         | lea                 eax, [0xb354d]

        $sequence_8 = { f248 0f2cd1 48 8d5a30 885c0c1c 48 ffc1 }
            // n = 7, score = 100
            //   f248                 | dec                 eax
            //   0f2cd1               | cvttps2pi           mm2, xmm1
            //   48                   | dec                 eax
            //   8d5a30               | lea                 ebx, [edx + 0x30]
            //   885c0c1c             | mov                 byte ptr [esp + ecx + 0x1c], bl
            //   48                   | dec                 eax
            //   ffc1                 | inc                 ecx

        $sequence_9 = { c744245014000000 48 8d0549251e00 48 890424 48 8b4c2438 }
            // n = 7, score = 100
            //   c744245014000000     | mov                 dword ptr [esp + 0x50], 0x14
            //   48                   | dec                 eax
            //   8d0549251e00         | lea                 eax, [0x1e2549]
            //   48                   | dec                 eax
            //   890424               | mov                 dword ptr [esp], eax
            //   48                   | dec                 eax
            //   8b4c2438             | mov                 ecx, dword ptr [esp + 0x38]

    condition:
        7 of them and filesize < 12279808
}

Download all Yara Rules

WellMess Propose Change

References

Yara Rules

WellMess