The Russian cyberespionage group known as APT29 and Cozy Bear is still actively delivering a piece of malware named WellMess, despite the fact that the malware was exposed and detailed last year by Western governments.
WellMess, also known as WellMail, is a lightweight piece of malware that enables its operators to execute shell commands, as well as to upload and download files on the compromised system.
The malware was first described in 2018 when it was spotted in attacks aimed at Japanese organizations, but at the time it was not linked to a specific threat actor.
WellMess was attributed to Russia’s APT29 in 2020, when the United States, the United Kingdom and Canada said it had been used by Russian hackers in attacks aimed at academic and pharmaceutical research institutions involved in COVID-19 vaccine development.
The malware was again mentioned this year, when agencies in the US and UK published a report describing the activities of APT29, which is also believed to be behind the attack on IT management company SolarWinds.
WellMess was mentioned in the report because — apparently in response to the exposure of their operation targeting vaccine makers — the hackers started using an open-source adversary simulation framework named Sliver to maintain access to existing WellMess victims.
The WellMess malware has been used in highly targeted attacks, and despite it being exposed by governments and cybersecurity firms, APT29 is apparently still using it in attacks.
RiskIQ, the threat intelligence company acquired recently by Microsoft, discovered more than 30 command and control (C&C) servers that have been actively used by APT29 to deliver WellMess malware.
While the company is confident that the servers belong to APT29 and they are still actively used to deliver the malware, it does not have enough information to determine how the infrastructure is being used or whom it has been used to target.
RiskIQ discovered the C&C servers based on IP addresses and SSL certificates, using information shared by someone on Twitter in June as a starting point.
“RiskIQ’s Team Atlas assesses with high confidence that these IP addresses and certificates are in active use by APT29 at the time of this writeup,” RiskIQ said in a blog post. “We were unable to locate any malware which communicated with this infrastructure, but we suspect it is likely similar to previously identified samples.”
Related: NSA: Russian Hackers Exploiting VPN Vulnerabilities
Related: FBI/DHS Issue Guidance for Network Defenders to Mitigate Russian Gov Hacking