1. Home
  2. Software
  3. WellMail

WellMail

WellMail is a lightweight malware written in Golang used by APT29, similar in design and structure to WellMess.[1][2]

ID: S0515
Type: MALWARE
Platforms: Windows
Contributors: Josh Campbell, Cyborg Security, @cyb0rgsecur1ty
Version: 1.0
Created: 29 September 2020
Last Modified: 09 October 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

WellMail can exfiltrate files from the victim machine.[1]
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

WellMail can use hard coded client and certificate authority certificates to communicate with C2 over mutual TLS.[1][2]
Enterprise T1140 反混淆/解码文件或信息

WellMail can decompress scripts received from C2.[1]
Enterprise T1560 归档收集数据

WellMail can archive files on the compromised host.[1]
Enterprise T1033 系统所有者/用户发现

WellMail can identify the current username on the victim system.[1]
Enterprise T1016 系统网络配置发现

WellMail can identify the IP address of the victim system.[1]
Enterprise T1105 输入工具传输

WellMail can receive data and executable scripts from C2.[1]
Enterprise T1095 非应用层协议

WellMail can use TCP for C2 communications.[1]
Enterprise T1571 非标准端口

WellMail has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications.[1][2]

Groups That Use This Software

ID Name References
G0016 APT29

[1][2][3]

References

  1. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
  2. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
  1. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.