WellMail

Description

(NCSC-UK) WellMail is a lightweight tool designed to run commands or scripts with the results being sent to a hardcoded Command and Control (C2) server.

The NCSC has named this malware ‘WellMail’ due to file paths containing the word ‘mail’ and the use of server port 25 present in the sample analysed. Similar to WellMess, WellMail uses hard-coded client and certificate authority TLS certificates to communicate with C2 servers.

The binary is an ELF utility written in Golang which receives a command or script to be run through the Linux shell. To our knowledge, WellMail has not been previously named in the public domain.

Names

Name
WellMail

Type

Backdoor

Information

https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmail.html
https://securelist.com/apt-trends-report-q3-2020/99204/
https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors
https://blog.talosintelligence.com/2020/08/attribution-puzzle.html

Mitre Attack

https://attack.mitre.org/software/S0515/

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmail

Alienvault Otx

https://otx.alienvault.com/browse/pulses?q=tag:WellMail

Other Information

Uuid

011052ce-7891-4761-88ca-b493dcf2f15d

Last Card Change

2022-12-30

Threat Intelligence Garden

Explorer

WellMail

WellMail

Description

Names

Category

Type

Information

Mitre Attack

Malpedia

Alienvault Otx

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks