Cybersecurity firm Symantec has identified a new attack group dubbed Orangeworm installing a custom backdoor called Trojan.Swampers in a targeted attack campaign against global healthcare sector and related industries.
The attack believed to have been operational since January 2015, has conducted targeted attacks claiming 17 percent of its victims in the US. Orangeworm's Swampers malware does not select its targets randomly or conduct opportunistic hacking. Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack, Symantec said.
3 IMAGES
According to Symantec telemetry, almost 40 percent of the hacking group’s confirmed victim organizations operate within the healthcare industry. The Swampers malware was found on machines which had the software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures, Symantec said.
Once Orangeworm has infiltrated a victim’s network, the hackers deploy Trojan.Swampers, a backdoor Trojan that provides the attackers with remote access to the compromised computer. When executed, Kwampirs decrypts and extracts a copy of the main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.
To ensure persistence, Kwampirs creates a service with the following configuration to ensure that the main payload is loaded into memory upon system reboot:
To ensure persistence, Kwampirs creates a service with the above configuration.
Symantec
The backdoor also collects some rudimentary information and uses this information to determine whether the system is used by a researcher or if the victim is a high-value target. Once identified, Kwampirs uses a fairly aggressive means to propagate itself once inside a victim's network by copying itself over network shares.
While this method has likely proved effective, is considered somewhat old, it may still be viable for environments that run older operating systems such as Windows XP. Older systems like Windows XP are much more likely to be prevalent in this industry. Additionally, once infected, the malware cycles through a large list of command and control (C&C) servers embedded within the malware.
Meanwhile, Symantec has confirmed that Orangeworm does not bear any hallmarks of a state-sponsored actor.
0 Comments