Sunday, September 8, 2024
HomeCyber Security NewsRussian APT29 Used 30+ C&C Servers Uncovered Linked to "WellMess" Malware

Russian APT29 Used 30+ C&C Servers Uncovered Linked to “WellMess” Malware

Published on

Researchers from RISKIQ uncovered more than 30 commands & control server infrastructure actively serving malware known as “WellMess/WellMail”.

These C2 servers belong to Russian APT29 group hackers, and the gang was identified nearly a year back by the UK, US, and Canadian governments issued a joint advisory.

APT29(YTTRIUM, THE DUKES, COZY BEAR) group explicitly believed to be associated with Russia’s Foreign Intelligence Services (SVR) and the malware previously used in espionage campaigns targeting COVID-19 research in the UK, US, and Canada.

- Advertisement - EHA

Identified command & control servers are actively serving WellMess malware against highly targeted victims.

“The activity uncovered was notable given the context in which it appeared, coming on the heels of a public reproach of Russian hacking by President Joe Biden in a recent summit with President Vladimir Putin.” RISKIQ said.

‘WellMess’ is a custom malware used to target the number of victims globally, and the group is mainly using the recently published exploits to gain initial footholds.

A Tweets Leads to the Way

Researchers’ investigation begins with the Tweet that contains an indicator about the command and control server and the signed certificate.

Further analysis leads to uncovering several additional IP addresses and  Certificates, also revealed that the C2 server associated with the APT29 and WellMess.

The identified C2 infrastructure is actively used by APT 29, Also found new IP addresses residing in the same networks.

“Building on that discovery, RiskIQ’s Team Atlas was then able to leverage RiskIQ’s Internet Intelligence Graph to link the following SSL Certificates and IP addresses to APT29 C2 infrastructure with high confidence.”

When researchers examined the banners returned from HTTP requests made to the servers, they were able to found an entirely separate group of malicious certificates and IP addresses.

You can explore the full list of these IOCs Here.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Vulnerabilities in IBM Products Let Attackers Exploit & Launch DOS Attack

IBM has issued a security bulletin addressing critical vulnerabilities in its MQ Operator and...

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Vulnerabilities in IBM Products Let Attackers Exploit & Launch DOS Attack

IBM has issued a security bulletin addressing critical vulnerabilities in its MQ Operator and...

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...