2 August 2021

APT29 still actively serving WellMess malware used in cyberespionage campaign targeting COVID-19 vaccine research


APT29 still actively serving WellMess malware used in cyberespionage campaign targeting COVID-19 vaccine research

Despite the WellMess malware being exposed by Western governments and cybersecurity firms, the cyberespionage group APT29 is still actively using it, researchers at RiskIQ found. They said they discovered more than 30 command-and-control (C2) servers under control of APT29 that were delivering WellMess (aka WellMail).

APT29, which is also tracked as Cozy Bear, Yttrium, and The Dukes, is believed to be an extension of the Russian intelligence services (SVR). It is also believed to have orchestrated a series of cyberattacks, including the breach of the IT management company SolarWinds last year.

WellMess was first spotted in attacks against Linux and Windows servers in 2018, although at the time the malware was not attributed to any specific hacker group. However, in 2020 the malware was linked to APT29 in a joint report released by security agencies from the US, the UK and Canada describing a cyberespionage campaign targeting organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom.

“Because APT29 uses WellMess in a highly targeted fashion, signs of the malware and its command-and-control servers are relatively rare,” RiskIQ said.

The researchers noted that while much of the discovered APT29’s command and control infrastructure is still in active use they do not have enough information to determine how the infrastructure is being used or whom it has been used to target.

“RiskIQ’s Team Atlas assesses with high confidence that these IP addresses and certificates are in active use by APT29 at the time of this writeup. We were unable to locate any malware which communicated with this infrastructure, but we suspect it is likely similar to previously identified samples,” the researchers said.

Their report also provides Indicators of Compromise associated with APT29 activities.


Back to the list

Latest Posts

Windows MSHTML bug used in ransomware attacks, Microsoft says

Windows MSHTML bug used in ransomware attacks, Microsoft says

According to the Windows maker, in the wild exploitation of CVE-2021-40444 began on August 18.
17 September 2021
State-backed hackers actively exploiting recently disclosed Zoho RCE bug

State-backed hackers actively exploiting recently disclosed Zoho RCE bug

The targeted entities include academic institutions, defense contractors, as well as critical infrastructure entities.
17 September 2021
Free REvil/Sodinokibi ransomware universal decryptor released

Free REvil/Sodinokibi ransomware universal decryptor released

The tool works for all REvil victims whose files were encrypted in attacks prior to July 13, 2021.
17 September 2021
Featured vulnerabilities
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in Git
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in GLPI
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021