f33d by Prelude

Share this post
TTP Tuesday: APT29 - COVID-19 Vaccine Data
feed.prelude.org

TTP Tuesday: APT29 - COVID-19 Vaccine Data

Execute a disarmed WellMess malware sample

Octavia Johnston
Mar 22
Comment
Share

Theme Overview

Our last release looked at Operation Ghost and the use of steganography to encode malware in a PNG file.

For this week’s TTP Tuesday we are releasing a new APT29 themed chain based on WellMess malware used to target COVID-19 vaccine manufacturers. Both NCSC and CISA released multiple advisories on APT29 targeting vaccine development in early 2020. More information, including YARA rules, can be found in the original reports here and here.

WellMess

WellMess has a small set of features such as file upload and download, command execution via CMD or execve, and encrypted C2 traffic. Notably, WellMess uses gost (Go Simple Tunnel) for lateral movement. Gost can be used for multi-hop socks5 proxies as well as several other routing and proxy capabilities discussed further on the project page.

This week, our primary chain stages and executes a disarmed WellMess malware sample. We’ve included two additional chains to both set up a gost server and a gost client so you can start routing network traffic through a socks5 proxy. To get started, configure your range with the required gost facts such as server IP and proxy port.

Check it out on the Prelude chains website.

Watch a demonstration:

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: http://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Kris: https://twitter.com/Xanthonus
Octavia: https://twitter.com/VV_X_7
Sam: https://twitter.com/wasupwithuman

CommentComment
ShareShare

Create your profile

0 subscriptions will be displayed on your profile (edit)

Skip for now

Only paid subscribers can comment on this post

Already a paid subscriber? Sign in

Check your email

For your security, we need to re-authenticate you.

Click the link we sent to , or click here to sign in.

TopNewCommunity

No posts

Ready for more?

© 2022 Prelude Research, Inc.
Privacy ∙ Terms ∙ Collection notice
Publish on Substack Get the app
Substack is the home for great writing