By GoldSparrow in Malware

The WellMess Trojan is a newly spotted threat that was written in Google’s GoLang programming language. It would appear that the creators of the WellMess malware are targeting both Windows and Linux systems. This became evident after cybersecurity researchers spotted the payload of the threat in ELF files, as well as PE files. So far, the WellMess Trojan is targeting users and businesses located in Japan mainly.

This Week In Malware Episode 19 Part 1: Russian APT29 Hackers Target Coronavirus/COVID-19 Vaccine Research Firms

The capabilities of the WellMess Trojan are fairly limited. This threat is able to:

  • Upload files.
  • Download files.
  • Execute arbitrary commands.
  • Launch PowerShell scripts.
  • Despite the rather short list of capabilities, a highly-skilled cybercriminal can do a lot of damage with the WellMess Trojan easily.

Malware researchers speculate that the WellMess Trojan is likely the product of an APT (Advanced Persistent Threat) and the specific APT29 threat, also known as Cozy Bear. This is because low-level cyber crooks seldom go after large companies or target specific geographical regions. Even a fairly limited threat, like the WellMess Trojan, is able to cause significant harm provided that it is utilized by experienced cybercriminals.

When looking at the even smaller picture – when looking at executable files – the number of Java-based malware such as McRAT show that your computer is more vulnerable than you think it is. Though, Java-based malware is falling as the number of people using Java is also dropping. Less individuals and businesses are using Java so the viability of using it as a means to deliver ransomware has dropped. With that said, Golag by Google, which does work on multiple operating systems, is being used to infect computers across Linux and Windows.

JPCERT – a computer security incident response team out of Japan – recently published a report on the WellMess malware. The malware operates on both the WinPE (Windows Preinstallation Environment) and Linux through ELF (Executable and Linkable Format). The WellMess malware gives remote attackers a level of control over target computers. Attackers can run arbitrary commands on infected computers, upload and download files, and run PowerShell scripts to create automated tasks. These commands are transferred to the infected device through RC6 encrypted HTTP POST requests. The virus reports on the outcome of the commands by connecting to a control and command (C2) server through cookies on a browser.

JPCERT put together a tool to decrypt the content of the cookies and show what is being transmitted to the C2 server.

WellMess has been seen in a number of Japanese companies, none of which were named in the report. It is currently unclear if the group behind the malware is specifically targeting Japanese companies or if targets outside of Japan simply haven’t been reported. The C2 servers controlling the infected machines appear to originate in Lithuania, Sweden, China, Hong Kong, and The Netherlands. JPCERT say that attacks using the WellMess malware are continuing even now and corporations should keep an eye out for the virus.

WellMess is hardly the first malware to operate on Linux like it does. With that said, it does highlight the fact that people need to stop blindly believing the notion that threat actors don’t bother creating viruses and malware for Linux because they don’t see it as a viable target. The cross-compilation of tools like Golang make it easier for malware developers to create a mess of problems for Mac, Linux, and Windows alike. If anything, it’s likely that we will only see more malware being developed for these platforms in the future. Linux users, much like Mac and Windows users, should install an antivirus program to protect their devices from WellMess and other malware.

The good news is that there are plenty of free antivirus programs out there for any kind of operating system. You will obviously get more protection from a paid solution, but even a free tool is better than no tool at all. At the very least, you can see for yourself just how vulnerable your machine really is.

If there’s anything to learn from all of this, it’s that WellMess is a very real threat for Linux and Windows users. It gives an attacker remote control over a computer, allowing them to run commands and create automated tasks. Things such as Golang mean that developers will have an easier time creating malware for niche operating systems too, so be sure to take steps to protect your desktop or laptop computer, no matter what operating system it runs.

Despite its limited features, the WellMess malware is not a threat that should be underestimated. Make sure your computer is protected against attackers with the help of a reputable anti-virus software suite. Furthermore, do not forget to apply regular updates to all the applications that are present on your computer. These two acts would go a long way to minimize the risk of your system being infiltrated and your data being collected.


Most Viewed