April 24, 2018 By David Bisson 2 min read

Security researchers discovered that a threat group known as Orangeworm is actively targeting healthcare organizations and attempting to install a custom backdoor on their networks.

According to Symantec, the cybergang has staged numerous supply chain attacks against IT solutions providers, equipment manufacturers and other organizations serving the medical industry. The group’s goal in each of those attacks was to infect its intended targets with a custom backdoor called Trojan.Kwampirs.

Symantec reported that 39 percent of organizations targeted by Orangeworm through the spring of 2018 operated in the healthcare industry. The group infected devices designed to control X-ray and MRI machines and help patients fill out consent forms. It also infiltrated organizations in manufacturing and IT, with both sectors accounting for 15 percent of the group’s overall victim distribution.

Orangeworm Crawls Into Healthcare Networks

Orangeworm chooses its targets “carefully and deliberately,” according to the report, and conducts “a good amount of planning before launching an attack.” It uses information gathered to infiltrate the organization’s network and deploy Kwampirs.

Once activated, the malware adds a randomly generated string to a decrypted copy of its payload to evade hash-based detection. It also sets a configuration that allows it to load into memory once the system is rebooted. Kwampirs then copies itself across network shares with the goal of infecting other machines.

Symantec noted that this means of propagation is fairly aggressive in nature and particularly well-suited to exploit legacy systems, which are prevalent throughout the healthcare industry. “While this method is considered somewhat old, it may still be viable for environments that run older operating systems, such as Windows XP,” the researchers explained in the report.

From there, Kwampirs collects as much information as possible about the network. Key points of interest include lists of running system processes, system configuration information and displays of files and directories in C:\.

Detecting Kwampirs Activity

In its report, Symantec included a list of indicators of compromise (IoCs) that organizations can use to detect activity from Kwampirs and other tools commonly employed by Orangeworm.

The security firm advised organizations to run a full system scan if a Kwampirs infection is detected. If the malware corrupts a Windows system file, security teams should replace it by using the Windows installation CD.

Organizations can prevent a Kwampirs infection by regularly implementing operating system updates, protecting file shares and following best practices for online security.

More from

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today