A malicious campaign is targeting organizations from a broad range of industries with a piece of malware known as Kwampirs, the Federal Bureau of Investigation warns.
Initially detailed in 2018, the malware is a custom backdoor associated with a threat actor tracked as Orangeworm, which has been active since at least 2015, mainly targeting organizations in the healthcare sector, but also launching attacks on industries somewhat related to healthcare, including IT, manufacturing, and logistics.
Attacks involving the Kwampirs Remote Access Trojan (RAT), the FBI says, have been ongoing since 2016, targeting healthcare, software supply chain, energy, and engineering organizations in the United States, Europe, Asia, and the Middle East. Financial institutions and prominent law firms were also targeted.
According to the FBI’s alert, while the backdoor does not include a wiper or destructive module components, there are code-based similarities with the data destruction malware Disttrack, which is better known as Shamoon.
The malware has been successfully employed in assaults on healthcare entities worldwide, including major transnational healthcare companies and local hospital organizations. In some cases, the infections spread across the enterprise networks, the FBI’s alert reads (PDF).
“The FBI assesses Kwampirs actors gained access to a large number of global hospitals through vendor software supply chain and hardware products. Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals,” the agency says.
The two-phased attacks start with the threat actor establishing broad and persistent access to the target network to ensure secondary payloads can be deployed and executed. Next, the attackers deliver additional Kwampirs components or payloads to further exploit the infected hosts.
Stealth has allowed the threat actor to maintain access to the infected networks for a long period of time, in some cases of up to 3 years. The attackers were also observed deploying a targeted module for detailed reconnaissance.
From the compromised networks, the attackers harvested information on primary and secondary domain controllers, engineer servers used to develop and test ICS products and instruments, software development servers storing source code, and file servers used as shared repositories for research and development (R&D).
Targeted supply-chain vendors provide multi-industry imaging business products and services, co-develop products with worldwide software companies and organizations in the enterprise resource planning (ERP) industry, and provide products and services supporting ICS maintenance functions.
Infections occur during mergers and acquisitions (spreading from one company to the other); during co-development processes, via shared resources; and via infected devices from supply-chain vendors that are installed on the customer LAN or cloud infrastructure.
“Kwampirs campaign actors have targeted companies in the imaging industry, to include networked scanner and copier-type devices, with domain access to customer networks. The FBI assesses these imaging vendors are targeted to gain access to customer networks, including remote or cloud management access, which could permit lateral CNE movement within victim networks,” the FBI says.
The alert also underlines the fact that the Kwampirs RAT’s modular design allows the attackers to engage in additional network exploitation activities through secondary modules. Moreover, these modules might not be remediated by endpoint protection solutions, the FBI also says.
Organizations that might have been infected are advised to contact their cybersecurity vendor and coordinate mitigation efforts with the FBI. In order to assist the agency, victims have been instructed to capture network traffic, create images of the infected hosts, capture web proxy logs and DNS and firewall logs, identify hosts communicating with C&C servers, and identify patient zero and attack vectors.