1. Home
  2. Software
  3. WellMail

WellMail

WellMail is a lightweight malware written in Golang used by APT29, similar in design and structure to WellMess.[1][2]

ID: S0515
Type: MALWARE
Platforms: Windows
Contributors: Josh Campbell, Cyborg Security, @cyb0rgsecur1ty
Version: 1.0
Created: 29 September 2020
Last Modified: 09 October 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1560 Archive Collected Data

WellMail can archive files on the compromised host.[1]
Enterprise T1005 Data from Local System

WellMail can exfiltrate files from the victim machine.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

WellMail can decompress scripts received from C2.[1]
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

WellMail can use hard coded client and certificate authority certificates to communicate with C2 over mutual TLS.[1][2]
Enterprise T1105 Ingress Tool Transfer

WellMail can receive data and executable scripts from C2.[1]
Enterprise T1095 Non-Application Layer Protocol

WellMail can use TCP for C2 communications.[1]
Enterprise T1571 Non-Standard Port

WellMail has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications.[1][2]
Enterprise T1016 System Network Configuration Discovery

WellMail can identify the IP address of the victim system.[1]
Enterprise T1033 System Owner/User Discovery

WellMail can identify the current username on the victim system.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[1][2][3]

References

  1. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
  2. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
  1. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.