What Is It?
Researchers at Symantec have detailed their findings into the activities of a new attack group and the backdoor trojan they have been using to target healthcare and related organizations.
The group, dubbed Orangeworm, is believed to be comprised of a small number of individuals and has been operating for several years. The origin, location and motivations of the group are currently unknown. Approximately 17% of infected systems are located in the U.S.
The organizations known to have been targeted by Orangeworm are either directly involved in the healthcare sector (including healthcare providers or pharmaceutical companies) or organizations that provide goods and services to the healthcare industry (including IT solution providers and equipment manufacturers). Researchers believe this to be a component of a larger supply-chain attack resulting in Orangeworm gaining access to their primary healthcare targets.
The malware has been named Kwampirs and is a backdoor, giving the attackers access to compromised systems to extract system information and sensitive data. The backdoor has even been found on systems used for operating X-ray and MRI machines. The attackers also seem to favor systems used by patients to complete consent forms.
The Kwampirs malware utilizes built-in system commands to gather numerous system information, particularly that which would assist in lateral movement through a network, such as recently accessed systems, network shares, mapped drives and network adapters. The malware decrypts and drops the main payload DLL contained within itself. When it does so, it inserts a randomly created string into the DLL in an attempt to defeat hash and pattern-based detection. The malware also copies itself to network shares and contains a list of command and control (C2) servers it attempts to establish connections. Both these actions are considered noisy, but it appears to have not concerned the authors as these behaviors have not changed over time.
How Does It Propagate?
If the attackers determine an infected system is a high-value target, based on system information gathered by the malware, it will attempt to use open network shares to spread within the network.
No information is available concerning the initial infection vector, however the most common vector for similar attacks is social engineering, either as malicious attachments or downloads performed by malicious documents. It is believed the Orangeworm group is selecting its targets carefully, making spear phishing a likely infection vector.
When/How Did BluVector Detect It?
There are nine publicly available samples and BluVector’s patented Machine Learning Engine (MLE) detected all of them. Regression testing has shown samples would have been detected an average of 11 months prior to their release, which mainly occurred during mid-to late 2016.