WellMess Trojan

First observed in 2018, WellMess is a family of information stealing trojans developed by the Russian-attributed APT 29 group for use campaigns against organisations involved in COVID-19 vaccine research and development.

Threat ID:: CC-3568
Category:: Trojan, Spyware
Threat Severity:: Medium
Threat Vector:: Drive by download, Insecure network, Exploit, Spear phishing
Published:: 21 July 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Versions: all

Microsoft Windows

Threat details

Introduction

WellMess is a family of information stealing trojans believed to have been created by the APT29 advanced persistent threat group for use in their own campaigns. Written in Go or .NET, it was first observed in July 2018 but is likely to have been used in the wild earlier that same year.

COVID-19 Vaccine Campaigns

Beginning in early 2020, APT29 started conducting campaigns using WellMess, among other tools, against COVID-19 vaccine research and development organisations.

Delivery

As with other APT29-developed tools, WellMess is delivered after a period of extensive target identification and network reconnaissance. The group then deploys a number of publicly available exploits against any exposed services. Services exploited include Pulse Secure and Fortigate VPNs or Citrix gateway appliances.

APT29 will also use sophisticated spear-phishing attacks to obtain credentials for internet-facing login pages.

Activities

Once present on a target system, WellMess will attempt to collect system and user information before sending it to a command and control server over DNS, HTTP, or TLS. It will then await further instructions from APT29.

WellMess is able to upload and download files, or execute shell commands. All data sent or received by WellMess is encrypted using AES, the keys for which are then themselves encrypted using RSA.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

IP addresses

103.103.128[.]221
103.13.240[.]46
103.205.8[.]72
103.216.221[.]19
103.253.41[.]102
103.253.41[.]68
103.253.41[.]82
103.253.41[.]90
103.73.188[.]101
111.90.146[.]143
111.90.150[.]176
119.160.234[.]163
119.160.234[.]194
119.81.173[.]130
119.81.178[.]105
120.53.12[.]132
122.114.197[.]185
122.114.226[.]172
141.255.164[.]29
141.98.212[.]55
145.249.107[.]73
146.0.76[.]37
149.202.12[.]210
169.239.128[.]110
176.119.29[.]37
178.211.39[.]6
185.120.77[.]166
185.145.128[.]35
185.99.133[.]112
191.101.180[.]78
192.48.88[.]107
193.182.144[.]105
202.59.9[.]59
209.58.186[.]196
209.58.186[.]197
209.58.186[.]240
220.158.216[.]130
27.102.130[.]115
31.170.107[.]186
31.7.63[.]141
45.120.156[.]69
45.123.190[.]168
45.152.84[.]57
46.19.143[.]69
5.199.174[.]164
66.70.247[.]215
79.141.168[.]109
81.17.17[.]213
85.93.2[.]116

File indicators

SHA256 hashes

00654dd07721e7551641f90cba832e98c0acb030e2848e5efc0e1752c067ec07
0322c4c2d511f73ab55bf3f43b1b0f152188d7146cc67ff497ad275d9dd1c20f
03e9adae529155961f1f18212ff70181bde0e3da3d7f22961a6e2b1c9da2dd2e
0b8e6a11adaa3df120ec15846bb966d674724b6b92eae34d63b665e0698e0193
14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2
1fed2e1b077af08e73fb5ecffd2e5169d5289a825dcaf2d8742bb8030e487641
21129ad17800b11cdb36906ba7f6105e3bd1cf44575f77df58ba91640ba0cab9
2285a264ffab59ab5a1eb4e2b9bcab9baf26750b6c551ee3094af56a4442ac41
2daba469f50cd1b77481e605aeae0f28bf14cedfcd8e4369193e5e04c523bc38
49bfff6b91ee71bbf8fd94829391a36b844ffba104c145e01c92732ada52c8ba
4c8671411da91eb5967f408c2a6ff6baf25ff7c40c65ff45ee33b352a711bf9c
5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb
797159c202ca41356bee18c5303d37e9d2a43ca43d0ce02e1fd9e7045b925d11
7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee
84b846a42d94431520d3d2d14262f3d3a5d96762e56b0ae471b853d1603ca403
8749c1495af4fd73ccfc84b32f56f5e78549d81feefb0c1d1c3475a74345f6a8
92a856a2216e107496ee086e1c8cfe14e15145e7a247539815fd37e5a18b84d9
93e9383ae8ad2371d457fc4c1035157d887a84bbfe66fbbb3769c5637de59c75
953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a
a03a71765b1b0ea7de4fbcb557dcfa995ff9068e92db9b2dada9dd0841203145
a117b2a904c24df62581500176183fbc282a740e4f11976cdfc01fe664a02292
a3ca47e1083b93ea90ace1ca30d9ef71163e8a95ee00500cbd3fd021da0c18af
b75a5be703d9ba3721d046db80f62886e10009b455fa5cdfd73ce78f9f53ec5a
bec1981e422c1e01c14511d384a33c9bcc66456c1274bbbac073da825a3f537d
c1a0b73bad4ca30a5c18db56c1cba4f5db75f3d53daf62ddc598aae2933345f3
d7e7182f498440945fc8351f0e82ad2d5844530ebdba39051d2205b730400381
dd3da0c596fd699900cdd103f097fe6614ac69787edfa6fa84a8f471ecb836bb
e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09
e3d6057b4c2a7d8fa7250f0781ea6dab4a977551c13fe2f0a86f3519b2aaee7a
f3af394d9c3f68dff50b467340ca59a11a14a3d56361e6cffd1cf2312a7028ad
f622d031207d22c633ccec187a24c50980243cb4717d21fad6588dacbf9c29e9
fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950

NCSC link

https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development

Definitive source of threat updates

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b

CVE Vulnerabilities

Status Master

CVE-2018-13379

An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.

Status Master

CVE-2019-9670

mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability.

Status Master

CVE-2019-11510

In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .

Status Master

CVE-2019-19781

An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.

Last edited: 23 July 2020 3:00 pm