A previously unknown entity has been invading large international corporations operating in the healthcare sector across Europe, USA, and Asia. American Software Company by the name of ‘Symantec Corporations’ identified this entity as ‘Orangeworm’ and was observed installing a custom backdoor called ‘Trojan.Kwampirs’ within large corporations.
Orangeworm has been observed to conduct highly planned and targeted attacks not just on healthcare corporations, but also other related industries as part of a larger supply chain attack. The major victims of the cyberespionage include pharmaceuticals, IT solution providers, equipment manufacturers of the healthcare industry, etc.
Well Planned Attack on Healthcare
There is absolutely no random selection of victims or targets as Orangeworm never conducts opportunistic hacking. The targets are well-defined and are chosen carefully with complete and comprehensive planning before an attack is launched. Although the victims are spread across the different industries related to healthcare, a study by Symantec suggests that as much as 40% of the victim organizations are within the healthcare industry. Mostly, the malware has been found on software installed machines like X-Ray and MRI machine, that are used for controlling high tech imaging.
Corporations of several countries across continents have been victimized by Trojan.Kwampirs. However, the largest infection rate is in the USA as per data from the Symantec telemetry. As much as 17% of Orangeworm’s victims are from USA alone.
Orangeworm has infiltrated the network of various corporations from the healthcare industries and other related healthcare providers. Let’s have a look at the modus operandi. On breaching the victim’s network, Orangeworm deploys the backdoor Trojan.Kwampirs after which, they get remote access to the vulnerable or compromised computer. Once this is done, the Trojan generates a copy of its main Dynamic Link Library (DLL) payload from its resource section by decrypting it. Once the payload is generated, a string that is generated randomly, is inserted in the decrypted payload, before the payload is written to the disk. This is done in order to avoid hash-based detections.
Apart from this a lot of basic information is also collected about the victimized computer which includes basic network adapter info, info on system version, etc. This information is utilized by Orangeworm to determine whether the victim is a high-potential target or otherwise. If the target is determined as one of high value, the backdoor is copied across open network shares to infect other machines.
Kwampir – Unperturbed about its’ discovery
On successfully breaching the victim’s network, Kwampir undertakes a reasonable process to propagate itself by copying itself over network shares. This is a method that might be considered as old school. However, the effectiveness is full-proof especially where the operating systems in use are old like Windows XP. In the healthcare organizations, chances are high of the systems running on older platforms like Windows XP. A few modifications have been made while copying over network shares to avoid detection. Despite of that, the method can be considered ‘noisy’. This validates the fact that Orangeworm is not particularly concerned about being discovered.
Orangeworm has been in the reckoning for quite some time now and most likely, the group does not have any state-sponsored actor, nor is there any proper indicator to trace the origin of the group. In all probability, an individual or a small group is the master in disguise.