Threat Signal ReportCISA and NCSC Advisory for APT 29 - Attacks on Multiple Countries Conducting COVID-19 Vaccine Research
Description
Today, The United Kingdom National Cyber Security Centre (NCSC) and the United States CyberSecurity and Infrastructure Security Agency (CISA) released a joint report on threat actors attempting to collect information on COVID-19 vaccine research and development. The report by NCSC and the three Malware Analysis Reports (MAR) from CISA are for campaigns attributed to a threat actor also known as "Cozy Bear," "Duke" and "APT29" which are attributed to Russia. This report highlights a recently discovered campaign that is targeting multiple organizations in Canada, The United Kingdom, and The United States.
Contained within these sample sets are (36) unique samples. The names associated with these reports by CISA are: WELLMAIL, SOREFANG, and WELLMESS.
AR20-198C : MAR-10296782-3.v1 - WELLMAIL
AR20-198A : MAR-10296782-1.v1 - SOREFANG
AR20-198B : MAR-10296782-2.v1 - WELLMESS
WELLMAIL - Contains ELF implants for remote command execution via compressed scripts that will be exfiltrated to a remote server.
SOREFANG - Samples in this report contain a first stage HTTP downloader that downloads a second stage payload. This set of samples specifically target Sangfor devices.
WELLMESS - This report contains a breakdown of Golang samples that collect information for C2 communications and can arbitrarily execution shell commands
Why is APT29/Cozy Bear/Duke Significant?
APT29/Cozy Bear/Duke has been in operation since 2008. Previous attacks attributed to this threat actor have been various companies, governmental agencies, research institutions, non-governmental organizations, and think tanks across multiple countries. Other high profile attacks attributed to this group are the attacks on the United States Pentagon in 2015, the Democratic National Committee (DNC) email leaks in 2016, and various United States think tanks and NGOS in 2017. Although APT29 is attributed to Russia, it is not to be confused with APT28/Fancy Bear/Pawn Storm, which is another group attributed to Russia. APT28 was responsible for the World Anti-Doping Agency (WADA) attacks before the Rio Olympics (2016) and was also responsible for the DNC attacks in 2016 as well.
What is the Severity of Impact?
The severity should be regarded as low, due to the fact that these campaigns have been observed in limited, targeted attacks.
What is the status of AV and IPS coverage?
Customers running the latest AV definitions are protected with the following signature sets:
W32/FAKER.X!tr.bdr
ELF/Agent.EK!tr
W32/Elf.B!tr
ELF/Agent.IR!tr
ELF/WellMess.C!tr
Linux/Agent.EK!tr
ELF/WellMess.86CE!tr
W32/Sangofor.H!tr
ELF/WellMess.A!tr
ELF/WellMess.B!tr
W32/PossibleThreat
PossibleThreat
IPS coverage is not feasible for this event.
All network IOC's are blocked by the WebFiltering client.
