A hacking group dubbed Orangeworm has been targeting, either directly or indirectly, international corporations operating within the healthcare sector, Symantec researchers have shared.
The Orangeworm attackers use a custom backdoor called Trojan.Kwampirs to compromise systems and gain remote access to them.
The attackers collect as much information as possible from the back-doored system, including configuration information, running system process and services, available network shares and user groups, account policy information, local accounts with admin access, a list of files and directories, and so on.
And, if the system seems interesting (and not operated by security researchers), Kwampirs will copy itself across open network shares to infect other computers on the network.
The threat actors
It’s interesting to note that, despite the group being active for several years, there is no indication of where they might be from.
Also, the researchers believe that the group is not state-sponsored. “[The attacks are] likely the work of an individual or a small group of individuals,” they posited.
The group does not seem particularly interested in keeping the attacks on the down low.
The copying of the malware over network shares is an agressive tactic and the malware going through a large list of command and control (C&C) in order to establish a viable connection result in “noisy” attacks.
“The fact that little has changed with the internals of Kwampirs since its first discovery may also indicate that previous mitigation methods against the malware have been unsuccessful, and that the attackers have been able to reach their intended targets despite defenders being aware of their presence within their network,” the researchers pointed out.
The targets are located all around the world:
Aside from aiming for companies in the healthcare sector, Orangeworm also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach the intended victims.
“Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage,” the researchers noted.