Light Dark
April 24, 2018 By David Bisson 2 min read

Security researchers discovered that a threat group known as Orangeworm is actively targeting healthcare organizations and attempting to install a custom backdoor on their networks.

According to Symantec, the cybergang has staged numerous supply chain attacks against IT solutions providers, equipment manufacturers and other organizations serving the medical industry. The group’s goal in each of those attacks was to infect its intended targets with a custom backdoor called Trojan.Kwampirs.

Symantec reported that 39 percent of organizations targeted by Orangeworm through the spring of 2018 operated in the healthcare industry. The group infected devices designed to control X-ray and MRI machines and help patients fill out consent forms. It also infiltrated organizations in manufacturing and IT, with both sectors accounting for 15 percent of the group’s overall victim distribution.

Orangeworm Crawls Into Healthcare Networks

Orangeworm chooses its targets “carefully and deliberately,” according to the report, and conducts “a good amount of planning before launching an attack.” It uses information gathered to infiltrate the organization’s network and deploy Kwampirs.

Once activated, the malware adds a randomly generated string to a decrypted copy of its payload to evade hash-based detection. It also sets a configuration that allows it to load into memory once the system is rebooted. Kwampirs then copies itself across network shares with the goal of infecting other machines.

Symantec noted that this means of propagation is fairly aggressive in nature and particularly well-suited to exploit legacy systems, which are prevalent throughout the healthcare industry. “While this method is considered somewhat old, it may still be viable for environments that run older operating systems, such as Windows XP,” the researchers explained in the report.

From there, Kwampirs collects as much information as possible about the network. Key points of interest include lists of running system processes, system configuration information and displays of files and directories in C:\.

Detecting Kwampirs Activity

In its report, Symantec included a list of indicators of compromise (IoCs) that organizations can use to detect activity from Kwampirs and other tools commonly employed by Orangeworm.

The security firm advised organizations to run a full system scan if a Kwampirs infection is detected. If the malware corrupts a Windows system file, security teams should replace it by using the Windows installation CD.

Organizations can prevent a Kwampirs infection by regularly implementing operating system updates, protecting file shares and following best practices for online security.

 |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

November 15, 2024

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

November 14, 2024

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

November 13, 2024

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature