⚠️ Overview

WellMess is a remote access trojan (RAT) and backdoor first publicly documented in June 2020 by the UK National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) in a joint advisory. It is attributed to the Russian state-sponsored threat group APT29 (also known as Cozy Bear, The Dukes, or Nobelium). WellMess is custom-written in .NET and Go and is distinct from the commonly used Cobalt Strike, designed specifically for targeted intrusions against high-value research institutions.

🔧 Technical Capabilities

WellMess propagates via spear-phishing emails containing malicious attachments that drop a .NET loader, which then executes the main backdoor. It communicates with its command-and-control (C2) infrastructure over HTTP, DNS, and SMB protocols to evade detection, with DNS tunnelling used for data exfiltration. The malware achieves persistence by creating a scheduled task or a Windows service, and employs DLL side-loading to load its payloads into legitimate processes. Evasion techniques include using RC4 encryption for C2 traffic and base64-encoded commands, as well as checking the system language to avoid infecting Russian or CIS systems. It supports a range of commands for file upload/download, command execution, and process manipulation, with the ability to run PowerShell scripts directly.

📜 History & Notable Incidents

WellMess first appeared in late 2019 and was actively deployed in 2020 against organisations involved in COVID-19 vaccine research across the United Kingdom, the United States, and Canada. The most notable campaign was disclosed in July 2020 by the NCSC, CISA, and Canada’s Communications Security Establishment (CSE), targeting pharmaceutical companies, universities, and clinical research firms. In May 2021, the Palo Alto Networks Unit 42 report linked WellMess to additional attacks on government and diplomatic targets in Europe and the Middle East, with the malware used in conjunction with the WellMail email collection tool and the GoldMax backdoor as part of APT29’s ongoing operations. No specific CVEs are directly exploited by WellMess itself; instead it relies on initial access via stolen credentials or phishing.

🔍 Detection Indicators

Known file hashes for WellMess samples include SHA256: 0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a (placeholder; see NCSC advisory for actual hashes). Behavioural indicators include unusual outbound DNS queries to non-standard domains (e.g., lookups for IP addresses encoded in nibble format), and SMB connections to external IPs on port 445. The malware uses a custom User-Agent string of "Mozilla/5.0 (Windows NT 6.1; rv:96.0) Gecko/20100101 Firefox/96.0" for HTTP C2 traffic. Registry modifications include creating a Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun for persistence. A mutex named "Global{random}" is created to prevent multiple instances. Network IOCs include C2 domains such as www[.]covid19research[.]com (example) and IP addresses previously associated with APT29 infrastructure (see FireEye APT29 report).

☠️ Risk & Impact

WellMess poses a high risk because it enables data exfiltration and persistent remote access to compromised systems, specifically targeting sensitive intellectual property related to vaccine development. Financial losses are difficult to quantify directly, but the disruption to research timelines and the theft of proprietary data can cost organisations millions in lost competitive advantage and remediation. The affected sectors are predominantly healthcare, pharmaceutical, and academic research, with secondary targets in government and diplomatic circles.

🛡️ Mitigation

Defensive measures include network segmentation to limit lateral movement, monitoring for anomalous DNS and SMB traffic, and deploying endpoint detection rules for DLL side-loading and scheduled task creation. Apply the latest patches for all software, enforce multi-factor authentication, and use the Sigma detection rules published by the NCSC and CISA to identify WellMess indicators. Regular threat hunting using the MITRE ATT&CK framework (e.g., techniques T1071.001, T1572, T1059.001) is recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.