New Orangeworm Threat Group Targets Healthcare Organizations With Custom Backdoor

Security researchers discovered that a threat group known as Orangeworm is actively targeting healthcare organizations and attempting to install a custom backdoor on their networks.

According to Symantec, the cybergang has staged numerous supply chain attacks against IT solutions providers, equipment manufacturers and other organizations serving the medical industry. The group’s goal in each of those attacks was to infect its intended targets with a custom backdoor called Trojan.Kwampirs.

Symantec reported that 39 percent of organizations targeted by Orangeworm through the spring of 2018 operated in the healthcare industry. The group infected devices designed to control X-ray and MRI machines and help patients fill out consent forms. It also infiltrated organizations in manufacturing and IT, with both sectors accounting for 15 percent of the group’s overall victim distribution.

Orangeworm Crawls Into Healthcare Networks

Orangeworm chooses its targets “carefully and deliberately,” according to the report, and conducts “a good amount of planning before launching an attack.” It uses information gathered to infiltrate the organization’s network and deploy Kwampirs.

Once activated, the malware adds a randomly generated string to a decrypted copy of its payload to evade hash-based detection. It also sets a configuration that allows it to load into memory once the system is rebooted. Kwampirs then copies itself across network shares with the goal of infecting other machines.

Symantec noted that this means of propagation is fairly aggressive in nature and particularly well-suited to exploit legacy systems, which are prevalent throughout the healthcare industry. “While this method is considered somewhat old, it may still be viable for environments that run older operating systems, such as Windows XP,” the researchers explained in the report.

From there, Kwampirs collects as much information as possible about the network. Key points of interest include lists of running system processes, system configuration information and displays of files and directories in C:\.

Detecting Kwampirs Activity

In its report, Symantec included a list of indicators of compromise (IoCs) that organizations can use to detect activity from Kwampirs and other tools commonly employed by Orangeworm.

The security firm advised organizations to run a full system scan if a Kwampirs infection is detected. If the malware corrupts a Windows system file, security teams should replace it by using the Windows installation CD.

Organizations can prevent a Kwampirs infection by regularly implementing operating system updates, protecting file shares and following best practices for online security.

David Bisson

Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley...