Consultants Uncover A number of C&C Servers Linked to WellMess Malware


WellMess Malware

Cybersecurity researchers on Friday unmasked new command-and-control (C2) infrastructure belonging to the Russian risk actor tracked as APT29, aka Cozy Bear, that has been noticed actively serving WellMess malware as a part of an ongoing assault marketing campaign.

Greater than 30 C2 servers operated by the Russian international intelligence have been uncovered, Microsoft-owned cybersecurity subsidiary RiskIQ said in a report shared with The Hacker Information.

APT29, the moniker assigned to authorities operatives working for Russia’s Overseas Intelligence Service (SVR), is believed to have been the mastermind behind the massive SolarWinds supply chain attack that got here to gentle late final yr, with the U.Ok. and U.S. governments formally pinning the intrusions on Russia earlier this April.

Stack Overflow Teams

The exercise is being tracked by the cybersecurity group beneath numerous codenames, together with UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Darkish Halo (Volexity), and Iron Ritual (Secureworks), citing variations within the techniques, methods, and procedures (TTPs) employed by the adversary with that of identified attacker profiles, counting APT29.

First recognized by Japan’s JPCERT/CC in 2018, WellMess (aka WellMail) has been beforehand deployed in espionage campaigns undertaken by the risk actor to plunder mental property from a number of organizations concerned in COVID-19 analysis and vaccine growth within the U.Ok., U.S., and Canada.

“The group makes use of quite a lot of instruments and methods to predominantly goal governmental, diplomatic, think-tank, healthcare and power targets for intelligence achieve,” the U.Ok.’s Nationwide Cyber Safety Centre (NCSC) noted in an advisory revealed in July 2020.

Prevent Data Breaches

RiskIQ stated it started its investigation into APT29’s assault infrastructure following a public disclosure a few new WellMess C2 server on June 11, resulting in the invention of a cluster of no fewer than 30 lively C2 servers. One of many servers is believed to have been lively as early as October 9, 2020, though it is not clear how these servers are getting used or who the targets are.

This isn’t the primary time RiskIQ has recognized the command-and-control footprint related to the SolarWinds hackers. In April, it unearthed an additional set of 18 servers with excessive confidence that seemingly communicated with the focused, secondary Cobalt Strike payloads delivered by way of the TEARDROP and RAINDROP malware deployed within the assaults.

“RiskIQ’s Crew Atlas assesses with excessive confidence that these IP addresses and certificates are in lively use by APT29,” stated Kevin Livelli, RiskIQ’s director of risk intelligence. “We have been unable to find any malware which communicated with this infrastructure, however we suspect it’s seemingly just like beforehand recognized samples.”





Source link