Experts Uncover Several C&C Servers Linked to WellMess Malware

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
Cybersecurity researchers on Friday unmasked new command-and-control (C2) infrastructure belonging to the Russian threat actor tracked as APT29, aka Cozy Bear, that has been spotted actively serving WellMess malware as part of an ongoing attack campaign.

More than 30 C2 servers operated by the Russian foreign intelligence have been uncovered, Microsoft-owned cybersecurity subsidiary RiskIQ said in a report shared with The Hacker News.

APT29, the moniker assigned to government operatives working for Russia's Foreign Intelligence Service (SVR), is believed to have been the mastermind behind the massive SolarWinds supply chain attack that came to light late last year, with the U.K. and U.S. governments formally pinning the intrusions on Russia earlier this April.
RiskIQ said it began its investigation into APT29's attack infrastructure following a public disclosure about a new WellMess C2 server on June 11, leading to the discovery of a cluster of no fewer than 30 active C2 servers. One of the servers is believed to have been active as early as October 9, 2020, although it's not clear how these servers are being used or who the targets are.

This is not the first time RiskIQ has identified the command-and-control footprint associated with the SolarWinds hackers. In April, it unearthed an additional set of 18 servers with high confidence that likely communicated with the targeted, secondary Cobalt Strike payloads delivered via the TEARDROP and RAINDROP malware deployed in the attacks.

"RiskIQ's Team Atlas assesses with high confidence that these IP addresses and certificates are in active use by APT29," said Kevin Livelli, RiskIQ's director of threat intelligence. "We were unable to locate any malware which communicated with this infrastructure, but we suspect it is likely similar to previously identified samples."
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top