Skip to main content

WellMail Remote Access Trojan

First seen in early July 2020, WellMail is an ATP29 developed remote access trojan spread through attacks on publicly exposed Internet services. It is able to run commands and scripts passed from an attacker on any infected system.

Threat ID:
CC-3569
Category:
Trojan
Threat Severity:
Medium
Threat Vector:
Drive by download, Exploit, Insecure network, Spear phishing
Published:
22 July 2020 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

First seen in early July 2020, WellMail is an ATP29 developed remote access trojan spread through attacks on publicly exposed Internet services. It is able to run commands and scripts passed from an attacker on any infected system.

Affected platforms

The following platforms are known to be affected:

Versions: all

Microsoft Windows

Threat details

Introduction

WellMail is a newly observed Go-based remote access trojan (RAT) believed to have been created by the APT29 advanced persistent threat group for use in their own campaigns.

COVID-19 Vaccine Campaigns

Beginning in early 2020, APT29 started conducting campaigns using WellMess, among other tools, against COVID-19 vaccine research and development organisations.

Delivery

As with other APT29-developed tools, WellMail is delivered after a period of extensive target identification and network reconnaissance. The group then deploys a number of publicly available exploits against any exposed services. Services exploited include Pulse Secure and Fortigate VPNs or Citrix gateway appliances.

APT29 will also use sophisticated spear-phishing attacks to obtain credentials for internet-facing login pages.

Activities

Once delivered, WellMail will attempt to connect to a command and control (C2) server over HTTPS using hard-coded TLS certificates apparently stolen from GlobalSign. If successful, it will then await further commands from an APT29 operator.

WellMail is able to execute commands and scripts passed from the C2, and can also act as backdoor to provide APT29 remote access to an affected system.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

IP addresses

  • 103.216.221[.]19
  • 119.81.184[.]11
  • 185.225.226[.]16
  • 188.241.68[.]137
  • 45.129.229[.]48
Host indicators

SHA256 hashes

  • 0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494
  • 83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18

Last edited: 3 August 2020 10:27 am