Experts from Microsoft’s information security company RiskIQ have identified a new C&C infrastructure used by the sensational APT group APT29 (aka Cozy Bear) and actively distributing WellMess malware as part of an ongoing malicious campaign.
In total, experts have found more than thirty servers used by APT29, the prime suspect in the high-profile attacks on SolarWinds’ supply chain last year.
First discovered in 2018 by the Japanese JPCERT / CC, the WellMess (also known as WellMail) malware was previously used in spy campaigns aimed at stealing intellectual property from organizations, including those developing vaccines against COVID-19, in the UK, USA and Canada …
RiskIQ specialists launched an investigation into the APT29 infrastructure after reporting the WellMess C&C server discovered on June 11 and, as a result, identified a whole cluster of servers. One of the servers has been active since October 9, 2020, but it is not clear how these servers were used, nor who was the victim of cyberattacks.
This is not the first time that RiskIQ has been able to identify the hacker-related parts of the C&C infrastructure that have broken into SolarWinds. In April, researchers discovered an additional cluster of 18 servers that were likely communicating with a secondary
Cobalt Strike payload delivered by TEARDROP and RAINDROP malware. The experts associated the discovered IP addresses with APT29 with great confidence. They were unable to identify any malware communicating with these servers, but suspect that it is similar to malware samples previously detected.
Catch up on more articles here
Follow us on Twitter here