The Russian hacking group "APT29", also known as "The Dukes" or "Cozy Bear", is a classified advanced threat, which is said to be connected to the Russian secret service.
In our blog post we would like to discuss the recent methods, techniques and procedures of this group.
The UK's National Cyber Security Center (NCSC) and Canada's Communications Security Establishment (CSE) believe that APT29 (aka "The Dukes" or "Cozy Bear") is a cyber espionage group, which almost certainly belongs to the Russian secret services.
The United States National Security Agency (NSA) approves of this attribution and the information contained in this report.
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (DHS CISA) agrees with the technical details and mitigation advice in this advisory.
The group employs a variety of tools and techniques to achieve intelligence-gathering objectives, primarily in the areas of government, diplomacy, think tanks, healthcare and energy.
Throughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, most likely with the intention of sharing information and intellectual property related to the Stealing COVID-19 vaccine development and testing.
APT29 deploys custom malware called "WellMess" and "WellMail" to target a range of organizations worldwide. This includes the organizations involved in the development of COVID-19 vaccines. WellMess and WellMail have not been publicly associated with APT29.
The APT29 group often uses publicly available ones exploitsto widespread scans and attacks on vulnerable systems
to perform, probably in an effort to obtain authentication credentials that allow further access. This broad focus gives the group potentially access to a large number of systems worldwide, many of which are unlikely to be of immediate intelligence value. The group may keep a stash of stolen credentials to access these systems should they become more relevant to their needs in the future.
In the recent attacks on COVID-19 vaccine research and development, the group performed basic vulnerability scans against specific external IP addresses owned by the organizations. The group then deployed public exploits against the identified vulnerable services.
The group was successful when they found their first successes with recently released exploits. Examples include:
The group is most likely eager to fully utilize a variety of new achievements when it is released. More information on these exploits can be found in previous NCSC advisory on Citrix- and VPN vulnerabilities [1,2].
The group also uses spear phishing to obtain authentication credentials for target organizations' web-facing login pages.
If the group gains access to a system, they are likely to leave behind additional tools and/or attempt to gain legitimate permissions to the compromised systems in order to maintain persistent access. The attacker will most likely use anonymization services when using the stolen access data.
In some cases, APT29 also deploys custom malware called WellMess or WellMail to perform further intrusions into the victim's system.
WellMess is malware written in either Golang or .NET and has been in use since at least 2018. WellMess was first announced in July 2018 by JPCERT- and LAC researchers reported[4][5]. It is named after one of the function names in the malware - 'wellmess'. WellMess is lightweight malware designed to execute arbitrary shell commands and upload and download files. The malware supports HTTP, TLS, and DNS communication methods.
WellMess Indicators of Compromise (IOCs) are available in the appendix.
WellMail is a simple tool for running commands or scripts, the results of which are sent to a hard-coded Command and Control (C2) server. The NCSC named this malware “WellMail” due to the file paths that contain the word “Mail” and the use of server port 25 present in the analyzed sample. Similar to WellMess, WellMail uses hard-coded client and CA TLS certificates to communicate with C2 servers. The binary is an ELF utility written in Golang that receives a command or script to be run from the Linux shell. As far as we are aware, WellMail has not been publicly credited.
IOCs for WellMail are available in the attachment.
The WellMess and WellMail samples contained TLS certificates with the hardcoded SubjectKeyIdentifier (SKI) '0102030406' and used the subjects 'C=Tunis, O=IT' and 'O=GMO GlobalSign, Inc' respectively. These certificates can be used to identify other malware samples and infrastructure. Servers with this GlobalSign Certificate subject can be used for other functions in addition to WellMail malware communication.
Malware, referred to as “SoreFang” by the NCSC, is a first-stage downloader that uses HTTP to exfiltrate victim information and download second-stage malware. The sample analyzed by the NCSC contains the same infrastructure as a WellMess sample (103.216.221[.]19).
SoreFang is likely to target SangFor devices. Industry reports indicate that other players, allegedly including DarkHotel, have also targeted SangFor devices. Therefore, not all SangFor exploitation activity is related to APT29 targeting.
APT29 will likely continue to target organizations involved in COVID-19 vaccine research and development as they attempt to answer additional intelligence questions related to the pandemic.
Organizations are strongly encouraged to use the Rules and IOCs listed in the Appendix to uncover the activities described in this publication.
00654dd07721e7551641f90 cba832e98c0acb030e2848 e5efc0e1752c067ec07 |
0322c4c2d511f73ab55bf3f 43b1b0f152188d7146cc67ff 497ad275d9dd1c20f |
03e9adae529155961f1f182 12ff70181bde0e3da3d7f2 2961a6e2b1c9da2dd2e |
0b8e6a11adaa3df120ec158 46bb966d674724b6b92e ae34d63b665e0698e0193 |
14e9b5e214572cb13ff8772 7d680633f5ee238259043 357c94302654c546cad2 |
1fed2e1b077af08e73fb5ec ffd2e5169d5289a825dcaf 2d8742bb8030e487641 |
21129ad17800b11cdb369 06ba7f6105e3bd1cf44575 f77df58ba91640ba0cab9 |
2285a264ffab59ab5a1eb 4e2b9bcab9baf26750b6c 551ee3094af56a4442ac41 |
2daba469f50cd1b77481e 605aeae0f28bf14cedfcd8 e4369193e5e04c523bc38 |
49bfff6b91ee71bbf8fd94 829391a36b844ffba104c 145e01c92732ada52c8ba |
4c8671411da91eb5967f40 8c2a6ff6baf25ff7c40c65 ff45ee33b352a711bf9c |
5ca4a9f6553fea64ad2c7 24bf71d0fac2b372f9e7c e2200814c98aac64717 2fb |
797159c202ca41356bee1 8c5303d37e9d2a43ca43 d0ce02e1fd9e7045b925 d11 |
7c39841ba409bce4c2c 35437ecf043f2291098 4325c70b9530edf15d8 26147ee |
xnumxbxnumxaxnumxdxnumx 0d3d2d14262f3d3a5d 96762e56b0ae471b85 3d1603ca403 |
8749c1495af4fd73ccfc 84b32f56f5e78549d8 1feefb0c1d1c3475a74 345f6a8 |
92a856a2216e107496 ee086e1c8cfe14e1514 5e7a247539815fd37e 5a18b84d9 |
93e9383ae8ad2371d 457fc4c1035157d887 a84bbfe66fbbb3769 c5637de59c75 |
953b5fc9977e2d50f3 f72c6ce85e8942893 7117830c0ed67d468 e2d93aa7ec9a |
a03a71765b1b0ea7de4 fbcb557dcfa995ff906 8e92db9b2dada9dd0 841203145 |
a117b2a904c24df625 81500176183fbc282a 740e4f11976cdfc01fe 664a02292 |
a3ca47e1083b93ea90 ace1ca30d9ef71163e8 a95ee00500cbd3fd0 21da0c18af |
b75a5be703d9ba3721 d046db80f62886e10 009b455fa5cdfd73ce 78f9f53ec5a |
bec1981e422c1e01c14 511d384a33c9bcc66 456c1274bbbac073d a825a3f537d |
c1a0b73bad4ca30a5 c18db56c1cba4f5db 75f3d53daf62ddc59 8 aae2933345f3 |
d7e7182f49844094 5fc8351f0e82ad2d5 844530ebdba39051 d2205b730400381 |
dd3da0c596fd6999 00cdd103f097fe661 4ac69787edfa6fa8 4a8f471ecb836bb |
e329607379a0148 3fc914a47c0062d 5a3a8d8d65f777fb ad2c5a841a90a0af09 |
e3d6057b4c2a7d8 fa7250f0781ea6da b4a977551c13fe2f 0a86f3519b2aaee7a |
f3af394d9c3f68dff 50b467340ca59a1 1a14a3d56361e6c ffd1cf2312a7028ad |
f622d031207d22c 633ccec187a24c5 0980243cb4717d2 1fad6588dacbf9c29e9 |
fd3969d32398bbe 3709e9da5f83269 35dde664bbc3675 3bd41a0b111712c0950 |
103.103.128[.]221 |
103.13.240[.]46 |
103.205.8[.]72 |
103.216.221[.]19 |
103.253.41[.]102 |
103.253.41[.]68 |
103.253.41[.]82 |
103.253.41[.]90 |
103.73.188[.]101 |
111.90.146[.]143 |
111.90.150[.]176 |
119.160.234[.]163 |
119.160.234[.]194 |
119.81.173[.]130 |
119.81.178[.]105 |
120.53.12[.]132 |
122.114.197[.]185 |
122.114.226[.]172 |
141.255.164[.]29 |
141.98.212[.]55 |
145.249.107[.]73 |
146.0.76[.]37 |
149.202.12[.]210 |
169.239.128[.]110 |
176.119.29[.]37 |
178.211.39[.]6 |
185.120.77[.]166 |
185.145.128[.]35 |
185.99.133[.]112 |
191.101.180[.]78 |
192.48.88[.]107 |
193.182.144[.]105 |
202.59.9[.]59 |
209.58.186[.]196 |
209.58.186[.]197 |
209.58.186[.]240 |
220.158.216[.]130 |
27.102.130[.]115 |
31.170.107[.]186 |
31.7.63[.]141 |
45.120.156[.]69 |
45.123.190[.]167 |
45.123.190[.]168 |
45.152.84[.]57 |
46.19.143[.]69 |
5.199.174[.]164 |
66.70.247[.]215 |
79.141.168[.]109 |
81.17.17[.]213 |
85.93.2[.]116 |
rule wellmess_dotne t_unique_strings { |
finish line: |
description = “Rule t o detect WellMess .NET samples based on unique strings and function/variable names” |
author = “NCSC” |
hash = “2285a264ffab59 ab5a1eb4e2b9bca b9baf26750b6c55 1ee3094af56a4442ac41” |
string: |
$s1 = “MaxPostSize” wide |
$s2 = “HealthInterval” wide |
$s3 = “Hello from Proxy” wide |
$s4 = “Start bot:” wide |
$s5 = “Choise” ascii wide |
$s7 = “FromNormalToBase64” ascii |
$s8 = “FromBase64ToNormal” ascii |
$s9 = “ConvBytesToWords” ascii |
$s10 = “WellMess” ascii |
$s11 = “chunksM” ascii |
conditions: |
uint16(0) == 0x5a4d and uint16(uint16(0x3c)) == 0x4550 and 3 of them |
} |
rule wellmess_ botlib_ function_names { | ||||||||||||||||||||||||||||||||||||||||||||||||
finish line: | ||||||||||||||||||||||||||||||||||||||||||||||||
description = “Rule to detect WellMess Golang samples based on the function names used by the actor” | ||||||||||||||||||||||||||||||||||||||||||||||||
author = “NCSC” | ||||||||||||||||||||||||||||||||||||||||||||||||
hash = “8749c1495af4fd73 ccfc84b32f56f5e7 8549d81feefb0c1d 1c3475a74345f6a8” | ||||||||||||||||||||||||||||||||||||||||||||||||
string: | ||||||||||||||||||||||||||||||||||||||||||||||||
$s1 = “botlib.wellMess” ascii wide | ||||||||||||||||||||||||||||||||||||||||||||||||
$s2 = “botlib.saveFile” ascii wide | ||||||||||||||||||||||||||||||||||||||||||||||||
$s3 = “botlib.reply” ascii wide | ||||||||||||||||||||||||||||||||||||||||||||||||
$s4 = “botlib.init” ascii wide
|
rule wellmess_ certificate_base64_ snippets { |
finish line: |
description = “Rule for detection of WellMess based on base64 snippets of certificates used” |
author = “NCSC” |
hash = “8749c1495af4fd7 3ccfc84b32f56f5e7 8549d81feefb0c1d1c3 475a74345f6a8” |
string: |
$a1 = “BgNVHQ4E BwQFAQIDBA” |
$a2 = “YDVR0OBA cEBQECAwQG” |
$a3 = “GA1UdDgQH BAUBAgMEB” |
$b1 = “BgNVBAYTBVR1bm lzMQswCQYDVQQKEw JJVD” |
$b2 = “YDVQQGEwVUdW5 pczELMAkGA1UEC hMCSVQx” |
$b3 = “GA1UEBhMFVH VuaXMxCzAJBgN VBAoTAklUM” |
conditions: |
((uint16(0) == 0x5a4d and uint16(uint16(0x3c)) == 0x4550) or uint32(0) == 0x464c457f) and any of ($a*) and any of ($b*) |
} |
rule wellmess_ regex_used_for_parsing_ beacons { |
finish line: |
description = “Detects WellMess Golang and .NET samples based on the regex they used to parse commands and beacon information” |
author = “NCSC” |
hash = “8749c1495af4fd73c cfc84b32f56f5e7854 9d81feefb0c1d1c347 5a74345f6a8” |
string: |
$a = “fileName:(?.*?)\\sargs:(?.*)\\snotwait:(?.*)” ascii wide |
$b = “<;(?[^;]*?);>(?[^<]*?)<;[^;]*?;>” ascii wide |
conditions: |
((uint16(0) == 0x5a4d and uint16(uint16(0x3c)) == 0x4550) or uint32(0) == 0x464c457f) and any of them |
} |
83014ab5b3f63b0253cd ab6d715f5988ac901457 0fa4ab2b267c7cf9ba23 7d18 (UPX) |
0c5ad1e8fe43583e2792 01cdb1046aea742bae5 9685e6da24e963a41d f987494 (Unpacked) |
103.216.221.19
119.81.184[.]11 |
185.225.226[.]16 |
188.241.68[.]137 |
45.129.229[.]48 |
rule wellmail_unique_ string { |
meta: description = “Rule for detection of WellMail based on unique strings contained in the binary” |
author = “NCSC” |
hash = “0c5ad1e8fe4358 3e279201cdb1046aea742ba e59685e6da24e963a4 1df987494” |
string: |
$a = “C:\\Server\\Mail\\ App_Data\\Temp\\ agent.sh\\src” |
$b = “C:/Server/Mail/ App_Data/Temp/ agent.sh/src/main.go” |
$c = “HgQdbx4qRNv” |
$d = “042a51567eea19d5 aca71050b4535d33 d2ed43ba” |
$e = “main.zipit” |
$f = “@[^\\s]+?\\s(?P.*?)\\s” |
conditions: |
uint32(0) == 0x464C457F and 3 of them |
} |
rule wellmail_certificate_ base64_snippets { |
meta: description = “ Rule for detection of WellMail based on base64 snippets of certificates used” |
author = “NCSC” |
hash = “0c5ad1e8fe43583 e279201cdb1046ae a742bae59685e6d a24e963a41df987494” |
string: |
$a1 = “BgNVHQ4EB wQFAQIDBA” |
$a2 = “YDVR0OBAc EBQECAwQG” |
$a3 = “GA1UdDgQ HBAUBAgMEB” |
$b1 = “BgNVBAoTE0dNTy BHbG9iYWxTaWd uLCBJbm” |
$b2 = “YDVQQKExNHTU 8gR2xvYmFsU2lnbi wgSW5j” |
$b3 = “GA1UEChMTR01 PIEdsb2JhbFNpZ 24sIEluY” |
conditions: |
uint32(0) == 0x464C457F and any of ($a*) and any of ($b*) |
} |
58d8e65976b53b7764 5c248bfa18c3b87a6ec fb02f306fe6ba4944db 96a5ede2 |
65495d173e3056256 96051944a36a031ea9 4bb3a4f13034d8be74 0982bc4ab75 |
a4b790ddffb3d2e669 1dcacae08fb0bfa1ae 56b6c73d70688b097 ffa831af064 |
103.216.221[.]19
rule sorefang_directory_enumeration_output_strings { |
finish line: |
description = “Rule to detect SoreFang based on formatted string output for directory enumeration” |
author = “NCSC” |
hash = “58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2” |
string: |
$ = “———-All users directory———-“ |
$ = “———-Desktop directory———-“ |
$ = “———-Documents directory———-“ |
conditions: |
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them |
} |
rule sorefang_encryption_key_2b62 { |
finish line: |
description = “Rule to detect SoreFang based on hardcoded encryption key” |
author = “NCSC” |
hash = “58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2” |
string: |
$ = “2b6233eb3e872ff78988f4a8f3f6a3ba” |
conditions: |
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them |
} |
rule sorefang_encryption_key_schedule { |
finish line: |
description = “Rule to detect SoreFang based on the key schedule used for encryption” |
author = “NCSC” |
hash = “58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2” |
string: |
$ = {C7 05 ?? ?? ?? ?? 63 51 E1 B7 B8 BC D1 3B 01 8B 48 FC 81 E9 47 86 C8 61 89 08 83 C0 04 3D ?? ?? ?? ?? 7E EB 33 D2 33 C9 B8 2C 00 00 00 89 55 D4 33 F6 89 4D D8 33 DB 3B F8 0F 4F C7 8D 04 40 89 45 D0 83 F8 01 7C 4F 0F 1F 80 00 00 00 00} |
conditions: |
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them |
} |
rule sorefang_command_elem_cookie_ga_boundary_string { |
finish line: |
description = “Rule to detect SoreFang based on scheduled task element and Cookie header/boundary strings” |
author = “NCSC” |
hash = “58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2” |
string: |
$ = " ” wide |
$=“Cookie:_ga=” |
$ = “——974767299852498929531610575” |
conditions: |
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 2 of them |
} |
rule sorefang_encryption_round_function { |
finish line: |
description = “Rule to detect SoreFang based on the encryption round function” |
author = “NCSC” |
hash = “58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2” |
string: |
$ = {8A E9 8A FB 8A 5D 0F 02 C9 88 45 0F FE C1 0F BE C5 88 6D F3 8D 14 45 01 00 00 00 0F AF D0 0F BE C5 0F BE C9 0F AF C8 C1 FA 1B C0 E1 05 0A D1 8B 4D EC 0F BE C1 89 55 E4 8D 14 45 01 00 00 00 0F AF D0 8B C1} |
conditions: |
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them |
} |
rule sorefang_add_random_commas_spaces { |
finish line: |
description = “Rule to detect SoreFang based on function that adds commas and spaces” |
author = “NCSC” |
hash = “58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2” |
string: |
$ = {E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 8B CE 83 FA 04 7E 09 6A 02 68 ?? ?? ?? ?? EB 07 6A 01 68 ?? ?? ?? ??} |
conditions: |
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them |
} |
rule sorefang_modify_alphabet_custom_encode { |
finish line: |
description = “Rule to detect SoreFang based on arguments passed into custom encoding algorithm function” |
author = “NCSC” |
hash = “58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2” |
string: |
$ = {33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64} |
conditions: |
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them |
} |
$ = {E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 8B CE 83 FA 04 7E 09 6A 02 68 ?? ?? ?? ?? EB 07 6A 01 68 ?? ?? ?? ??} |
conditions: |
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them |
} |
rule sorefang_custom_encode_decode { |
finish line: |
description = “Rule to detect SoreFang based on the custom encoding/decoding algorithm function” |
author = “NCSC” |
hash = “58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2” |
string: |
$ = {55 8B EC 8B D1 53 56 8B 75 08 8B DE 80 42 62 FA 8A 4A 62 66 D3 EB 57 3A 5A 5C 74 0F} |
$ = {3A 5A 5D 74 0A 3A 5A 58 74 05 3A 5A 59 75 05 FE C1 88 4A 62 8A 4A 62 B8 01 00 00 00} |
$ = {8A 46 62 84 C0 74 3E 3C 06 73 12 0F B6 C0 B9 06 00 00 00 2B C8 C6 46 62 06 66 D3 66 60 0F B7 4E 60} |
$ = {80 3C 38 0D 0F 84 93 01 00 00 C6 42 62 06 8B 56 14 83 FA 10 72 04 8B 06} |
$ = {0F BE 0C 38 8B 45 EC 0F B6 40 5B 3B C8 75 07 8B 55 EC B3 3E} |
$ = {0F BE 0C 38 8B 45 EC 0F B6 40 5E 3B C8 75 0B 8B 55 EC D0 EB C6 42 62 05} |
$ = {8B 55 EC 0F BE 04 38 0F B6 DB 0F B6 4A 5F 3B C1 B8 3F 00 00 00 0F 44 D8} |
$ = {8A 4A 62 66 8B 52 60 66 D3 E2 0F B6 C3 66 0B D0 8B 45 EC 66 89 50 60 8A 45 F3 02 C1 88 45 F3 3C 08 72 2E 04 F8 8A C8 88 45 F3 66 D3 EA 8 B4D 08 0F B6 C2 50} |
$ = {3A 5A 5C 74 0F 3A 5A 5D 74 0A 3A 5A 58 74 05 3A 5A 59 75 05 FE C1 88 4A 62} |
conditions: |
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them |
} |
rule sorefang_remove_chars_comma_space_dot { |
meta: description = “Rule to detect SoreFang based on function that removes commas, spaces and dots” |
author = “NCSC” |
hash = “58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2” |
string: |
$ = {8A 18 80 FB 2C 74 03 88 19 41 42 40 3B D6 75 F0 8B 5D 08} |
$ = {8A 18 80 FB 2E 74 03 88 19 41 42 40 3B D6 75 F0 8B 5D 08} |
$ = {8A 18 80 FB 20 74 03 88 19 41 42 40 3B D6 75 F0 8B 5D 08} |
conditions: |
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them |
} |
rule sorefang_disk_enumeration_strings { |
finish line: |
description = “Rule to detect SoreFang based on disk enumeration strings” |
author = “NCSC” |
hash = “a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064” strings: |
$ = “\x0D\x0AFree on disk: “ |
$ = “Total disk: “ |
$ = “Error in GetDiskFreeSpaceEx\x0D\x0A” |
$ = “\x0D\x0AVolume label: “ |
$ = "Serial number: " |
$ = "File system: " |
$ = “Error in GetVolumeInformation\x0D\x0A” |
$ = “I can't get the information about this disk\x0D\x0A” |
conditions: |
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them |
} |
[1] https://www.ncsc.gov.uk/news/citrix-alert
[2] https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities
[3] https://nvd.nist.gov/vuln/detail/CVE-2019-9670
[4] https://blogs.jpcert.or.jp/en/2018/ 07/malware-wellmes-9b78.html
[5] https://www.botconf.eu/wp-content/uploads/2018/12/ 2018-Y-Ishikawa-S-Nagano- Lets-go-with-a-Go-RAT-_final.pdf
A number of countermeasures will be useful in defending against the attacks described in this report:
