TTP Tuesday: APT29 - COVID-19 Vaccine Data

Execute a disarmed WellMess malware sample

Mar 22, 2022

Theme Overview

Our last release looked at Operation Ghost and the use of steganography to encode malware in a PNG file.

For this week’s TTP Tuesday we are releasing a new APT29 themed chain based on WellMess malware used to target COVID-19 vaccine manufacturers. Both NCSC and CISA released multiple advisories on APT29 targeting vaccine development in early 2020. More information, including YARA rules, can be found in the original reports here and here.

WellMess

WellMess has a small set of features such as file upload and download, command execution via CMD or execve, and encrypted C2 traffic. Notably, WellMess uses gost (Go Simple Tunnel) for lateral movement. Gost can be used for multi-hop socks5 proxies as well as several other routing and proxy capabilities discussed further on the project page.

This week, our primary chain stages and executes a disarmed WellMess malware sample. We’ve included two additional chains to both set up a gost server and a gost client so you can start routing network traffic through a socks5 proxy. To get started, configure your range with the required gost facts such as server IP and proxy port.

Check it out on the Prelude chains website.

Watch a demonstration:

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

f33d by Prelude

Discussion about this post