Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент WellMess
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
WellMess
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

WellMess

WellMess is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by APT29.(Citation: CISA WellMess July 2020)(Citation: PWC WellMess July 2020)(Citation: NCSC APT29 July 2020)
ID: S0514
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 24 Sep 2020
Last Modified: 22 Mar 2021

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

WellMess can use HTTP and HTTPS in C2 communications.(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)(Citation: CISA WellMess July 2020)(Citation: NCSC APT29 July 2020)
.004 Application Layer Protocol: DNS

WellMess has the ability to use DNS tunneling for C2 communications.(Citation: PWC WellMess July 2020)(Citation: NCSC APT29 July 2020)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

WellMess can execute PowerShell scripts received from C2.(Citation: PWC WellMess July 2020)(Citation: CISA WellMess July 2020)
.003 Command and Scripting Interpreter: Windows Command Shell

WellMess can execute command line scripts received from C2.(Citation: PWC WellMess July 2020)

Enterprise T1132 .001 Data Encoding: Standard Encoding

WellMess has used Base64 encoding to uniquely identify communication to and from the C2.(Citation: CISA WellMess July 2020)
Enterprise T1001 .001 Data Obfuscation: Junk Data

WellMess can use junk data in the Base64 string for additional obfuscation.(Citation: CISA WellMess July 2020)
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

WellMess can encrypt HTTP POST data using RC6 and a dynamically generated AES key encrypted with a hard coded RSA public key.(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)(Citation: CISA WellMess July 2020)
.002 Encrypted Channel: Asymmetric Cryptography

WellMess can communicate to C2 with mutual TLS where client and server mutually check certificates.(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)(Citation: CISA WellMess July 2020)(Citation: NCSC APT29 July 2020)

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

WellMess can identify domain group membership for the current user.(Citation: CISA WellMess July 2020)

Groups That Use This Software
ID Name References
G0016 APT29

(Citation: PWC WellMess July 2020) (Citation: PWC WellMess C2 August 2020) (Citation: CISA WellMess July 2020) (Citation: NCSC APT29 July 2020) (Citation: Cybersecurity Advisory SVR TTP May 2021)

References

  1. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
  2. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  3. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
  4. PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.
  5. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.