April 24, 2018 By David Bisson 2 min read

Security researchers discovered that a threat group known as Orangeworm is actively targeting healthcare organizations and attempting to install a custom backdoor on their networks.

According to Symantec, the cybergang has staged numerous supply chain attacks against IT solutions providers, equipment manufacturers and other organizations serving the medical industry. The group’s goal in each of those attacks was to infect its intended targets with a custom backdoor called Trojan.Kwampirs.

Symantec reported that 39 percent of organizations targeted by Orangeworm through the spring of 2018 operated in the healthcare industry. The group infected devices designed to control X-ray and MRI machines and help patients fill out consent forms. It also infiltrated organizations in manufacturing and IT, with both sectors accounting for 15 percent of the group’s overall victim distribution.

Orangeworm Crawls Into Healthcare Networks

Orangeworm chooses its targets “carefully and deliberately,” according to the report, and conducts “a good amount of planning before launching an attack.” It uses information gathered to infiltrate the organization’s network and deploy Kwampirs.

Once activated, the malware adds a randomly generated string to a decrypted copy of its payload to evade hash-based detection. It also sets a configuration that allows it to load into memory once the system is rebooted. Kwampirs then copies itself across network shares with the goal of infecting other machines.

Symantec noted that this means of propagation is fairly aggressive in nature and particularly well-suited to exploit legacy systems, which are prevalent throughout the healthcare industry. “While this method is considered somewhat old, it may still be viable for environments that run older operating systems, such as Windows XP,” the researchers explained in the report.

From there, Kwampirs collects as much information as possible about the network. Key points of interest include lists of running system processes, system configuration information and displays of files and directories in C:\.

Detecting Kwampirs Activity

In its report, Symantec included a list of indicators of compromise (IoCs) that organizations can use to detect activity from Kwampirs and other tools commonly employed by Orangeworm.

The security firm advised organizations to run a full system scan if a Kwampirs infection is detected. If the malware corrupts a Windows system file, security teams should replace it by using the Windows installation CD.

Organizations can prevent a Kwampirs infection by regularly implementing operating system updates, protecting file shares and following best practices for online security.

More from

ISC2 Cybersecurity Workforce Study: Shortage of AI skilled workers

4 min read - AI has made an impact everywhere else across the tech world, so it should surprise no one that the 2024 ISC2 Cybersecurity Workforce Study saw artificial intelligence (AI) jump into the top five list of security skills.It’s not just the need for workers with security-related AI skills. The Workforce Study also takes a deep dive into how the 16,000 respondents think AI will impact cybersecurity and job roles overall, from changing skills approaches to creating generative AI (gen AI) strategies.Budgets…

Why do software vendors have such deep access into customer systems?

4 min read - To the naked eye, organizations are independent entities trying to make their individual mark on the world. But that was never the reality. Companies rely on other businesses to stay up and running. A grocery store needs its food suppliers; a tech company relies on the business making semiconductors and hardware. No one can go it alone.Today, the software supply chain interconnects companies across a wide range of industries. Software applications and operating systems depend on segments of the software…

How CTEM is providing better cybersecurity resilience for organizations

4 min read - Organizations today continuously face a number of fast-moving cyber threats that regularly challenge the effectiveness of their cybersecurity defenses. However, to keep pace, businesses need a proactive and adaptive approach to their security planning and execution.Cyber threat exposure management (CTEM) is an effective way to achieve this goal. It provides organizations with a reliable framework for identifying, assessing and mitigating new cyber risks as they materialize.The importance of developing cybersecurity resilienceRegardless of the industry, all organizations are subject to certain…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today