SYMBOLCOMMON_NAMEaka. SYNONYMS
win.wellmess (Back to overview)

WellMess


WellMess is A Remote Access Trojan written in GoLang and .NET. It has hard-coded User-Agents. Attackers deploy WellMess using separate tools which also allow lateral movement, for example "gost". Command and Control traffic is handled via HTTP using the Set-Cookie field and message body.

References
2020-08-13Talos IntelligenceMartin Lee, Paul Rascagnères, Vitor Ventura
@online{lee:20200813:attribution:ced59ff, author = {Martin Lee and Paul Rascagnères and Vitor Ventura}, title = {{Attribution: A Puzzle}}, date = {2020-08-13}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/08/attribution-puzzle.html}, language = {English}, urldate = {2020-08-14} } Attribution: A Puzzle
WellMail elf.wellmess AcidBox WellMess
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-16NCSC UKNCSC UK
@techreport{uk:20200716:advisory:d2a121d, author = {NCSC UK}, title = {{Advisory: APT29 targets COVID-19 vaccine development}}, date = {2020-07-16}, institution = {NCSC UK}, url = {https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf}, language = {English}, urldate = {2020-09-01} } Advisory: APT29 targets COVID-19 vaccine development
WellMail elf.wellmess SoreFang WellMess
2020-07-16PWC UKPWC UK
@online{uk:20200716:how:8504d30, author = {PWC UK}, title = {{How WellMess malware has been used to target Covid-19 vaccines}}, date = {2020-07-16}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html}, language = {English}, urldate = {2020-07-17} } How WellMess malware has been used to target Covid-19 vaccines
elf.wellmess WellMess
2020-07-16CISAUS-CERT
@online{uscert:20200716:malware:539b015, author = {US-CERT}, title = {{Malware Analysis Report (AR20-198B)}}, date = {2020-07-16}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b}, language = {English}, urldate = {2020-07-20} } Malware Analysis Report (AR20-198B)
WellMess
2018-12-01BotconfYoshihiro Ishikawa, Shinichi Nagano
@techreport{ishikawa:20181201:lets:73b0c60, author = {Yoshihiro Ishikawa and Shinichi Nagano}, title = {{Let's go with a Go RAT!}}, date = {2018-12-01}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf}, language = {English}, urldate = {2020-04-28} } Let's go with a Go RAT!
elf.wellmess WellMess
2018-07-06JPCERT/CCShusei Tomonaga
@online{tomonaga:20180706:malware:dc21b83, author = {Shusei Tomonaga}, title = {{Malware “WellMess” Targeting Linux and Windows}}, date = {2018-07-06}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html}, language = {English}, urldate = {2020-07-17} } Malware “WellMess” Targeting Linux and Windows
elf.wellmess WellMess
2018-07-06JPCERT/CCShusei Tomonaga
@online{tomonaga:20180706:malware:f40637b, author = {Shusei Tomonaga}, title = {{Malware “WellMess” Targeting Linux and Windows}}, date = {2018-07-06}, organization = {JPCERT/CC}, url = {https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html}, language = {English}, urldate = {2020-01-06} } Malware “WellMess” Targeting Linux and Windows
WellMess
2018-06-14LACCyber ​​Emergency Center
@techreport{center:20180614:cyber:b2150a3, author = {Cyber ​​Emergency Center}, title = {{Cyber ​​Emergency Center Report No. 3}}, date = {2018-06-14}, institution = {LAC}, url = {https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf}, language = {English}, urldate = {2020-07-20} } Cyber ​​Emergency Center Report No. 3
WellMess
Yara Rules
[TLP:WHITE] win_wellmess_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_wellmess_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 48 890424 48 8d0d91ae1300 48 894c2408 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   48                   | dec                 eax
            //   890424               | mov                 dword ptr [esp], eax
            //   48                   | dec                 eax
            //   8d0d91ae1300         | lea                 ecx, [0x13ae91]
            //   48                   | dec                 eax
            //   894c2408             | mov                 dword ptr [esp + 8], ecx

        $sequence_1 = { e8???????? 48 8b6d00 4c 895c2440 0fb6b424d8000000 41 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8b6d00               | mov                 ebp, dword ptr [ebp]
            //   4c                   | dec                 esp
            //   895c2440             | mov                 dword ptr [esp + 0x40], ebx
            //   0fb6b424d8000000     | movzx               esi, byte ptr [esp + 0xd8]
            //   41                   | inc                 ecx

        $sequence_2 = { e8???????? 48 8b442428 48 8b4c2430 48 89442450 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   48                   | dec                 eax
            //   8b4c2430             | mov                 ecx, dword ptr [esp + 0x30]
            //   48                   | dec                 eax
            //   89442450             | mov                 dword ptr [esp + 0x50], eax

        $sequence_3 = { c744241807000000 e8???????? 0fb6442420 48 8b4c2440 48 8b742478 }
            // n = 7, score = 100
            //   c744241807000000     | mov                 dword ptr [esp + 0x18], 7
            //   e8????????           |                     
            //   0fb6442420           | movzx               eax, byte ptr [esp + 0x20]
            //   48                   | dec                 eax
            //   8b4c2440             | mov                 ecx, dword ptr [esp + 0x40]
            //   48                   | dec                 eax
            //   8b742478             | mov                 esi, dword ptr [esp + 0x78]

        $sequence_4 = { 8d0d7c470800 48 890c24 48 c744240800000000 48 c744241000000000 }
            // n = 7, score = 100
            //   8d0d7c470800         | lea                 ecx, [0x8477c]
            //   48                   | dec                 eax
            //   890c24               | mov                 dword ptr [esp], ecx
            //   48                   | dec                 eax
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   48                   | dec                 eax
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0

        $sequence_5 = { e8???????? 48 8b442410 48 8b4c2418 48 8dbc2420010000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   48                   | dec                 eax
            //   8b4c2418             | mov                 ecx, dword ptr [esp + 0x18]
            //   48                   | dec                 eax
            //   8dbc2420010000       | lea                 edi, [esp + 0x120]

        $sequence_6 = { e8???????? ebe0 4c 8d0db5902100 4c 890c24 48 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   ebe0                 | jmp                 0xffffffe2
            //   4c                   | dec                 esp
            //   8d0db5902100         | lea                 ecx, [0x2190b5]
            //   4c                   | dec                 esp
            //   890c24               | mov                 dword ptr [esp], ecx
            //   48                   | dec                 eax

        $sequence_7 = { e8???????? 48 8d050f942700 48 890424 48 c744240801000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8d050f942700         | lea                 eax, [0x27940f]
            //   48                   | dec                 eax
            //   890424               | mov                 dword ptr [esp], eax
            //   48                   | dec                 eax
            //   c744240801000000     | mov                 dword ptr [esp + 8], 1

        $sequence_8 = { c78424d800000000000000 898424e0000000 48 89b424e8000000 48 899c24f0000000 48 }
            // n = 7, score = 100
            //   c78424d800000000000000     | mov    dword ptr [esp + 0xd8], 0
            //   898424e0000000       | mov                 dword ptr [esp + 0xe0], eax
            //   48                   | dec                 eax
            //   89b424e8000000       | mov                 dword ptr [esp + 0xe8], esi
            //   48                   | dec                 eax
            //   899c24f0000000       | mov                 dword ptr [esp + 0xf0], ebx
            //   48                   | dec                 eax

        $sequence_9 = { e8???????? 48 8b442448 48 3d80000000 778c 48 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8b442448             | mov                 eax, dword ptr [esp + 0x48]
            //   48                   | dec                 eax
            //   3d80000000           | cmp                 eax, 0x80
            //   778c                 | ja                  0xffffff8e
            //   48                   | dec                 eax

    condition:
        7 of them and filesize < 12279808
}
Download all Yara Rules