Experts Unearth Several C&C Servers Linked to WellMess Malware

WellMess Malware
Share It On:

2nd August 2021, Kathmandu

Cybersecurity researchers on Friday unmasked incipient command-and-control (C2) infrastructure belonging to the Russian threat actor tracked as APT29, aka Cozy Bear, that has been spotted actively accommodating WellMess malware as a component of a perpetual attack campaign.

More than 30 C2 servers operated by the Russian peregrine perspicacity have been denuded, Microsoft-owned cybersecurity subsidiary RiskIQ verbally expressed in a report shared with The Hacker News.

APT29, the moniker assigned to regime operatives working for Russia’s Peregrine Perspicacity Accommodation (SVR), is believed to have been the mastermind abaft the massive SolarWinds supply chain attack that came to light tardy last year, with the U.K. and U.S. regimes formally pinning the intrusions on Russia earlier this April.

The activity is being tracked by the cybersecurity community under sundry codenames, including UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and Iron Ritual (Secureworks), citing differences in the tactics, techniques, and procedures (TTPs) employed by the adversary with that of kenned assailer profiles, counting APT29.

First identified by Japan’s JPCERT/CC in 2018, WellMess (aka WellMail) has been anteriorly deployed in espionage campaigns undertaken by the threat actor to plunder perspicacious property from multiple organizations involved in COVID-19 research and vaccine development in the U.K., U.S., and Canada.

“The group utilizes a variety of implements and techniques to predominantly target governmental, diplomatic, cerebrate-tank, healthcare and energy targets for astuteness gain,” the U.K.’s National Cyber Security Centre (NCSC) noted in an advisory published in July 2020.

RiskIQ verbally expressed it commenced its investigation into APT29’s assailment infrastructure following a public disclosure about an incipient WellMess C2 server on June 11, leading to the revelation of a cluster of no fewer than 30 active C2 servers. One of the servers is believed to have been active as early as October 9, 2020, albeit it’s not clear how these servers are being used or who the targets are.

This is not the first time RiskIQ has identified the command-and-control footprint associated with the SolarWinds hackers. In April, it unearthed an adscititious set of 18 servers with high confidence that likely communicated with the targeted, secondary Cobalt Strike payloads distributed via the TEARDROP and RAINDROP malware deployed in the assailants.

“RiskIQ’s Team Atlas assesses with high confidence that these IP addresses and certificates are in active use by APT29,” verbally expressed Kevin Livelli, RiskIQ’s director of threat perspicacity. “We were unable to locate any malware which communicated with this infrastructure, but we suspect it is likely akin to aforetime identified samples.”


Share It On:

Recent Posts

Child Online Protection in Nepal: Insights From UNICEF and ChildSafeNet Dialogue

Child Online Protection in Nepal: Insights From UNICEF and ChildSafeNet

Share It On:21st December 2024, Kathmandu A high-level dialogue on child online protection organized by UNICEF, in partnership with ChildSafeNet,

Support Your NPL Team With Ncell’s Exclusive PRBTs

Support Your NPL Team With Ncell’s Exclusive PRBTs

Share It On:20th December 2024, Kathmandu As the finale of the Nepal Premier League (NPL), the ‘Festival of the Himalayas,’

Garima Bank Cash Dividend Proposal: 5% for Shareholders

Garima Bank Cash Dividend Proposal: 5% for Shareholders

Share It On: 20th December 2024, Kathmandu Garima Bikas Bank has announced its decision to offer a cash dividend to

Citizens Bank and SM Dental Partnership: Exclusive Discounts for Digital Payment Users

Citizens Bank and SM Dental Partnership: Exclusive Discounts for Digital

Share It On: 20th December 2024, kathmandu Citizens Bank International Limited has formed a strategic partnership with SM Dental and

Nabil Bank Toll-Free Number for Easy Banking Support: 24/7 Access to Assistance

Nabil Bank Toll-Free Number for Easy Banking Support: 24/7 Access

Share It On: 20th December 2024, kathmandu Nabil Bank Limited has rolled out a new initiative to improve customer support

Ncell Unlimited Data Saapati: 1-Day Internet for Prepaid Users with Low Balance

Ncell Unlimited Data Saapati: 1-Day Internet for Prepaid Users with

Share It On:20th December 2024, kathmandu  Ncell has started to provide Unlimited Data as Saapati, enabling customers to stay online