Our last release looked at Operation Ghost and the use of steganography to encode malware in a PNG file.
For this week’s TTP Tuesday we are releasing a new APT29 themed chain based on WellMess malware used to target COVID-19 vaccine manufacturers. Both NCSC and CISA released multiple advisories on APT29 targeting vaccine development in early 2020. More information, including YARA rules, can be found in the original reports here and here.
WellMess has a small set of features such as file upload and download, command execution via CMD or execve, and encrypted C2 traffic. Notably, WellMess uses gost (Go Simple Tunnel) for lateral movement. Gost can be used for multi-hop socks5 proxies as well as several other routing and proxy capabilities discussed further on the project page.
This week, our primary chain stages and executes a disarmed WellMess malware sample. We’ve included two additional chains to both set up a gost server and a gost client so you can start routing network traffic through a socks5 proxy. To get started, configure your range with the required gost facts such as server IP and proxy port.
Watch a demonstration: APT29 COVID Vaccine Data
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg