Cybersecurity firm Symantec has identified a new attack group dubbed Orangeworm installing a custom backdoor called Trojan.Kwampirs in a targeted attack campaign against global healthcare sector and related industries.
The attack believed to have been operational since January 2015, has conducted targeted attacks claiming 17 per cent of its victims in the US. Orangeworm's Kwampirs malware does not select its targets randomly or conduct opportunistic hacking. Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack, Symantec said.
According to Symantec telemetry, almost 40 percent of the hacking group’s confirmed victim organisations operate within the healthcare industry. The Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures, Symantec said.
Once Orangeworm has infiltrated a victim’s network, the hackers deploy Trojan.Kwampirs, a backdoor Trojan that provides the attackers with remote access to the compromised computer. When executed, Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.
To ensure persistence, Kwampirs creates a service with the following configuration to ensure that the main payload is loaded into memory upon system reboot:
The backdoor also collects some rudimentary information and uses this information to determine whether the system is used by a researcher or if the victim is a high-value target. Once identified, Kwampirs uses a fairly aggressive means to propagate itself once inside a victim's network by copying itself over network shares.
While this method has likely proved effective, is considered somewhat old, it may still be viable for environments that run older operating systems such as Windows XP. Older systems like Windows XP are much more likely to be prevalent within this industry. Additionally, once infected, the malware cycles through a large list of command and control (C&C) servers embedded within the malware.
Meanwhile Symantec has confirmed that Orangeworm does not bear any hallmarks of a state-sponsored actor.