A security report released on April 23, 2018 found that there was a growing threat presented by Orangeworm, a cybercrime alliance that was going after organizations within healthcare and similar fields using a backdoor known as Kwampirs.

What is Kwampirs?

Kwampirs is a Trojan horse, as indicated by the NJ Cybersecurity & Communications Integration Cell. When attackers deploy this malware, they are able to remotely access the devices that are infected with it. Once the attackers access the machines and execute the Trojan, it begins to decrypt and extract a copy of its primary dynamic link library (DLL) payload. (What is DLL injection? DLL injection is a technique that is often used for Trojans. The pen-testing industry blog Penetration Testing Lab noted that DLL injection enables an intruder to run whatever script they want within another process’s address space. In the event that the process involved has heightened privileges, the nefarious party might be able to run sinister code within a DLL file that would further increase their privileges and, in turn, allow them to inflict widespread damage.)

How the DLL payload works

Once the DLL code is injected by Kwampirs, the Trojan then inserts a randomly generated series of characters (to elude hash-based detection) into the fully decrypted payload. Finally, it writes the data within the payload to the disk of the infected device. It gets worse: Kwampirs is also designed to be persistent and thwart removal, with the Trojan immediately generating a service that is set to activate on reboot and load the payload into memory. Once the Trojan knows that it is secured in its position, it starts digging, amassing data about the system it has infiltrated to decide the estimated value of this particular organization. Then, based on that assessment, the malware may begin to reproduce its own code, copying the Trojan and distributing it via open shares, infecting more systems within the network. Additional data is gathered from the devices and network by the Trojan as it gains an increasingly sophisticated awareness of the environment). Finally, the Trojan sends out a signal to a number of different C2 servers (aka command-and-control servers, the masters within these arrangements) to find one that is available at present.

Orangeworm – six key takeaways

Aside from the understanding of Kwampirs and DLL injection above, if you really want the in-brief version of Orangeworm, what you likely need to know right now, Becker’s Health IT & CEO Report has published a list of 6 items that are must-know (reiterating a few of the above points):

  1. Orangeworm was first identified by security researchers in 2015. Usually attacking in the United States but in Asia and Europe as well, Orangeworm installs Trojan.Kwampirs, a custom backdoor, into its victims, which are typically large global healthcare organizations.
  2. Per the report, Orangeworm is probably an effort at corporate espionage. Victims have included healthcare providers, healthcare IT service providers, pharmaceutical manufacturers, and healthcare equipment producers.
  3. The targets beyond healthcare that are highest priority for Orangeworm are logistics, agriculture, IT, and manufacturing.
  4. As indicated by the above description of the behavior of Kwampirs, the person who is controlling the Trojan is able to access the infected computer. Then, the Trojan decrypts and extracts a copy of its primary DLL payload – which comes from its resource area. The Becker’s summary also notes the injection of the randomly generated characters within the decrypted payload, with which it is able to sidestep hash-based detection systems.
  5. Once Kwampirs is on a computer, the hackers are able to make the malware’s toolset more robust. They can download and run other modules within memory if that is what the attacker wants to do. The additional modules allow the criminal to customize their efforts to the environment of their target so that it is possible for them to accomplish what they want, which is broad information theft.
  6. The researchers who released this most recent report suggest that this healthcare attack is probably not sponsored by North Korea or another foreign government; instead, it is believed to be a team of individuals. It is not possible, in terms of what can be gathered about the way the Orangeworm group is acting or by the technical nature of its attacks, to figure out the nation from which the attacks are being launched.

Orangeworm attack statistics (as of April 2018)

While the list of successfully breached targets certainly goes beyond healthcare, that industry is getting the worst of this effort. It is clear that the attackers are going after targets that have been chosen based on very clearly delineated characteristics. There is likely significant strategizing prior to these attacks, according to the analysts. Here is how the Orangeworm threat breaks down by industry, according to the attacks that are already on-record:

  • Healthcare – 39%
  • Manufacturing – 15%
  • Information technology – 15%
  • Unknown – 15%
  • Logistics – 8%
  • Agriculture – 8%.

Clearly, since nearly 2 in 5 victims are within healthcare, Kwampirs is a major healthcare problem even if its impact extends beyond that sector, and of major interest to healthcare hosting companies. In this round of attacks, rather than targeting servers or PCs, the Trojan is targeting MRI and X-Ray machines, along with other types of imaging devices. It is also attacking machines that collect consent form data from patients.

Where are Orangeworm victims located?

The victims of Orangeworm are mostly in the United States, but across many other nations as well. Here are the numbers based on location:

  • United States – 17%
  • Unknown – 10%
  • India – 7%
  • Saudi Arabia – 7%
  • Philippines – 5%
  • Germany – 5%
  • Hungary – 5%
  • United Kingdom – 5%
  • Poland – 2%
  • Sweden – 2%
  • Hong Kong – 2%
  • France – 2%
  • China – 2%
  • Japan – 2%
  • Portugal – 2%
  • Turkey – 2%
  • Spain – 2%
  • Canada – 2%
  • Switzerland – 2%
  • Norway – 2%
  • Chile – 2%
  • Brazil – 2%
  • Belgium – 2%
  • Malaysia – 2%
  • Netherlands – 2%.

Orangeworm is bold

One interesting note from the researchers is that the Trojan used a self-propagation technique leveraging open network shares, which was bold. This method of distribution is not new. It works in environments that have older operating systems running on the servers – and that is true of many healthcare firms, which have Windows XP on their backends. It is thought that the high use of older operating systems within healthcare is a reason that the sector was chosen as a point of attack.

Following infection of computers, Orangeworm’s rendition of Kwampirs runs through a list of C2 servers that are within the code. The list is long. However, the researchers noted that many of them are inactive. When the malware copies itself to other parts of the network, it changes a tiny part of its code in order to steer clear of detection. The protocol for C2 communication has not been adapted since this Trojan first launched, also suggesting to analysts the bravado of the attackers.

The above methods are not exactly tip-toeing. The research team thinks that people behind Orangeworm are not very worried about being noticed. It is also possible that the reason the code of Kwampirs is still largely intact since it was first noticed by people in the security industry is that mitigation efforts have been unsuccessful against it, so the attackers see no need to change anything.

HIPAA-compliant hosting for Orangeworm protection

Are you in need of protection from Orangeworm and all the other potential threats against the ePHI you protect? At Atlantic.Net, our infrastructure is SOC 1 & SOC 2 certified and HIPAA & HITECH audited, designed to secure and protect critical data and records. Orangeworm is not a threat to our healthcare clients, who are secured by protections such as our antivirus and intrusion prevention system. See our solutions for research in life sciences.