By GoldSparrow in Malware

The WellMail malware is a hacking tool, which belongs to the arsenal of the notorious Cozy Bear APT (Advanced Persistent Threat). This hacking group is also known as APT29, Cozy Duke, Office Monkeys, and The Duke. This hacking group often makes headlines as it is known to go after very high-profile targets.

This Week In Malware Episode 19 Part 1: Russian APT29 Hackers Target Coronavirus/COVID-19 Vaccine Research Firms

The Cozy Bear hacking group has remained true to their style in their latest campaign too. This time, APT29 has targeted medical institutions located in the United Kingdom, the United States, and Canada. The attackers appear to be targeting specific facilities and faculties, which are responsible for Coronavirus research. The medical institutions targeted by APT29 have concentrated their efforts on developing a vaccine or a treatment for COVID-19. According to malware experts, the Cozy Bear hacking group is using the WellMail hacking tool in their latest campaign. This threat is written in the Go programming language, which is rather unusual for the Cozy Bear hacking group.

Once APT29 manages to compromise the targeted system, it plants one of three hacking tools – WellMail, SoreFang, or WellMess. The WellMail threat is used as a first-stage payload by the attackers. The goal of the WellMail malware is to collect data from the infected host. It is likely that the attackers are looking for classified documents and research regarding a potential COVID-19 cure and/or vaccine. The WellMail threat is capable of executing commands and scripts sent by the C&C (Command & Control) server of the attackers. The output is then transferred to a log file, which is eventually exfiltrated to the C&C server.

It is not likely that the Cozy Bear hacking group is going to retire any time soon. This group has been active since 2008, and some cybersecurity researchers believe that it may be backed by the Russian government.


Most Viewed