Cyberattack group targets healthcare sector in the US, Europe, Asia

Symantec has identified a new attack group dubbed Orangeworm deploying the Kwampirs backdoor in a targeted attack campaign against the healthcare sector and related industries.

Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia.

First identified in January 2015, Orangeworm has also conducted targeted attacks against organisations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage.

Sights set on healthcare

Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking. Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack.

According to Symantec telemetry, almost 40 per cent of Orangeworm’s confirmed victim organisations operates within the healthcare industry. The Kwampirs malware was found on machines which had a software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures. The exact motives of the group are unclear.

The biggest number of Orangeworm’s victims are located in the US, accounting for 17 per cent of the infection rate by region. While Orangeworm has impacted only a small set of victims in 2016 and 2017 according to Symantec telemetry, there have been infections in multiple countries due to the nature of the victims operating large international corporations.

Healthcare providers caught in the crosshairs

It’s believed that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare. Orangeworm’s secondary targets include Manufacturing, Information Technology, Agriculture, and Logistics. While these industries may appear to be unrelated, they have multiple links to healthcare, such as large manufacturers that produce medical imaging devices sold directly into healthcare firms, IT organisations that provide support services to medical clinics, and logistical organisations that deliver healthcare products.

Post-compromise activities

Once Orangeworm has infiltrated a victim’s network, they deploy Trojan.Kwampirs, a backdoor Trojan that provides the attackers with remote access to the compromised computer.

When executed, Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.

To ensure persistence, Kwampirs creates a service with the following configuration to ensure that the main payload is loaded into memory upon system reboot:

The backdoor also collects some rudimentary information about the compromised computer including some basic network adapter information, system version information, and language settings.

Orangeworm likely uses this information to determine whether the system is used by a researcher or if the victim is a high-value target. Once Orangeworm determines that a potential victim is of interest, it proceeds to aggressively copy the backdoor across open network shares to infect other computers. It may copy itself to the following hidden file shares: ADMIN$, C$WINDOWS, D$WINDOWS and E$WINDOWS.

Information gathering

At this point, the attackers proceed to gather as much additional information about the victim’s network as possible, including any information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives, and files present on the compromised computer.

No concern about being discovered

Kwampirs uses a fairly aggressive means to propagate itself once inside a victim's network by copying itself over network shares. While this method is considered somewhat old, it may still be viable for environments that run older operating systems such as Windows XP. This method has likely proved effective within the healthcare industry, which may run legacy systems on older platforms designed for the medical community. Older systems like Windows XP are much more likely to be prevalent within this industry.

Additionally, once infected, the malware cycles through a large list of command and control (C&C) servers embedded within the malware. It appears while the list is extensive, not all of the C&Cs are active and continue to beacon until a successful connection is established. Despite modifying a small part of itself while copying itself across the network as a means to evade detection, the operators have made no effort to change the C&C communication protocol since its first inception.

Both of these methods are considered particularly “noisy” and may indicate that Orangeworm is not overly concerned with being discovered. The fact that little has changed with the internals of Kwampirs since its first discovery may also indicate that previous mitigation methods against the malware have been unsuccessful and that the attackers have been able to reach their intended targets despite defenders being aware of their presence within their network.

Kwampirs uses a fairly aggressive means to propagate itself once inside a victim's network by copying itself over network shares.

No hallmarks of a nation-state actor

While Orangeworm is known to have been active for at least several years, it’s not believed that the group bears any hallmarks of a state-sponsored actor—it is likely the work of an individual or a small group of individuals. There are currently no technical or operational indicators to ascertain the origin of the group.

Protection

Symantec offers protection against Orangeworm and has made efforts to notify identified targets of its operations. Customers with Intelligence Services or WebFilter-enabled products are protected against activity associated with the Orangeworm group.

Click on Deccan Chronicle Technology and Science for the latest news and reviews. Follow us on Facebook, Twitter.