Multiplatform WellMess malware for Windows and Linux

Situations like this are among the exceptions. On the fingers of one hand, we can count sophisticated malware written in a language other than Java, infecting Windows and Linux.

WellMess is a virus developed in Go (Golang) and .NET Framework languages. Two found samples indicate the use of malware in attacks on organizations in the same country (in Japan). WellMess has two versions: the PE executable file for Windows and the ELF file for Linux. As it contains many required libraries for both systems, it is a "universal" virus. Its detailed possibilities reveal the following implemented functions:

_ / Home / ubuntu / GoProject / src / bot / botlib.EncryptText
_ / Home / ubuntu / GoProject / src / bot / botlib.encrypt
_ / Home / ubuntu / GoProject / src / bot / botlib.Command
_ / Home / ubuntu / GoProject / src / bot / botlib.reply
_ / Home / ubuntu / GoProject / src / bot / botlib.Service
_ / Home / ubuntu / GoProject / src / bot / botlib.saveFile
_ / Home / ubuntu / GoProject / src / bot / botlib.UDFile
_ / Home / ubuntu / GoProject / src / bot / botlib.Download
_ / Home / ubuntu / GoProject / src / bot / botlib.Send
_ / Home / ubuntu / GoProject / src / bot / botlib.Work
_ / Home / ubuntu / GoProject / src / bot / botlib.chunksM
_ / Home / ubuntu / GoProject / src / bot / botlib.Join
_ / Home / ubuntu / GoProject / src / bot / botlib.wellMess
_ / Home / ubuntu / GoProject / src / bot / botlib.RandStringBytes
_ / Home / ubuntu / GoProject / src / bot / botlib.GetRandomBytes
_ / Home / ubuntu / GoProject / src / bot / botlib.Key
_ / Home / ubuntu / GoProject / src / bot / botlib.GenerateSymmKey
_ / Home / ubuntu / GoProject / src / bot / botlib.CalculateMD5Hash
_ / Home / ubuntu / GoProject / src / bot / botlib.Parse
_ / Home / ubuntu / GoProject / src / bot / botlib.Pack
_ / Home / ubuntu / GoProject / src / bot / botlib.Unpack
_ / Home / ubuntu / GoProject / src / bot / botlib.UnpackB
_ / Home / ubuntu / GoProject / src / bot / botlib.FromNormalToBase64
_ / Home / ubuntu / GoProject / src / bot / botlib.RandInt
_ / Home / ubuntu / GoProject / src / bot / botlib.Base64ToNormal
_ / Home / ubuntu / GoProject / src / bot / botlib.KeySizeError.Error
_ / Home / ubuntu / GoProject / src / bot / botlib.New
_ / Home / ubuntu / GoProject / src / bot / botlib. (* Rc6cipher) .BlockSize
_ / Home / ubuntu / GoProject / src / bot / botlib.convertFromString
_ / Home / ubuntu / GoProject / src / bot / botlib. (* Rc6cipher) .Encrypt
_ / Home / ubuntu / GoProject / src / bot / botlib. (* Rc6cipher) .Decrypt
_ / Home / ubuntu / GoProject / src / bot / botlib.Split
_ / Home / ubuntu / GoProject / src / bot / botlib.Cipher
_ / Home / ubuntu / GoProject / src / bot / botlib.Decipher
_ / Home / ubuntu / GoProject / src / bot / botlib.Pad
_ / Home / ubuntu / GoProject / src / bot / botlib.AES_Encrypt
_ / Home / ubuntu / GoProject / src / bot / botlib.AES_Decrypt
_ / Home / ubuntu / GoProject / src / bot / botlib.generateRandomString
_ / Home / ubuntu / GoProject / src / bot / botlib.deleteFile
_ / Home / ubuntu / GoProject / src / bot / botlib.Post
_ / Home / ubuntu / GoProject / src / bot / botlib.SendMessage
_ / Home / ubuntu / GoProject / src / bot / botlib.ReceiveMessage
_ / Home / ubuntu / GoProject / src / bot / botlib.Send.func1
_ / Home / ubuntu / GoProject / src / bot / botlib.init
_ / Home / ubuntu / GoProject / src / bot / botlib. (* KeySizeError) .error 

In a specific attack on organizations in Japan and after analyzing a virus sample, it turned out that the malware communicates with the C & C server using encrypted HTTP requests and performs one of its functions based on the received command.

WellMess can be used to download more sophisticated malware, which researchers point out, giving a specific example of Cerber ransomware.

WellMess malware

The original analysis can be found in this PDF file in Japanese. If the Japanese would cause some "problems" to someone, the virulent translated version by Shusei Tomonaga is available on this page .

Additional information about the checksums of detected WellMess virus samples:

  • 0b8e6a11adaa3df120ec15846bb966d674724b6b92eae34d63b665e0698e0193 (Golang & ELF)
  • bec1981e422c1e01c14511d384a33c9bcc66456c1274bbbac073da825a3f537d (Golang & PE)
  • 2285a264ffab59ab5a1eb4e2b9bcab9baf26750b6c551ee3094af56a4442ac41 (.Net & PE)

IP addresses of C & C servers with which the virus communicated:

  • 45,123,190,168
  • 103.13.240.46
  • 101.201.53.27
  • 185.217.92.171
  • 93.113.45.101
  • 191.101.180.78


Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.