Security researchers at Symantec have uncovered a new hacking group that is aggressively targeting healthcare and related industries across the globe to conduct corporate espionage and compromise medical devices. The orangeworm APT cyber group was first spotted in January 2015 and appears to be mainly focused on targeting the healthcare sector in the US, Europe and Asia. Experts still haven’t determined the real motivation of the attackers or their origin, but even if they are conducting cyber espionage, there is no evidence that the operation is backed by a nation-state actor.

Apart from healthcare industries which are about 39 percent of the organizations affected, the group is also targeting related industries such as healthcare providers, pharmaceuticals, IT solution providers and equipment manufacturers that serve the industry.

The hackers use a custom backdoor, dubbed Trojan.Kwampris, to remotely control infected machines. The Kwampris malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Orangeworm was also seen to have an interest in infecting machines used to assist patients in completing consent forms for required procedures. The goal behind this symptom is not clear.

The Infection:

  • Once Orangeworm has a foothold in the network, it deploys Trojan.Kwampirs and provides the attackers with remote access to the compromised computer.
  • Kwampirs creates a servicenames WmiApSrvEx, with display name: WMI Performance Adapter Extension. The service auto-starts when the machine boots. Kwampirs uses a DLL payload which it extracts from its own binary code, decrypts and places in “%Windows\System32\<filename.dll>”.
  • The service command is “rundll32.exe ““%Windows\System32\<filename.dll>”, ControlTrace -Embedding –k”.
  • The backdoor was detected collecting the following information about the infected machine:
    • Network adapter information
    • System version information
    • Language settings
  • In addition, it searches for accessible network shares in order to copy itself and propagate:
    • ADMIN$
    • C$WINDOWS
    • D$WINDOWS
    • E$WINDOWS
  • In general, Kwampirs doesn’t make an effort to really hide itself. It uses old propagation methods such as network shares. It leverages the fact that the healthcare industry may still run legacy systems on older platforms designed for the medical community. Older systems like Windows XP are much more likely to be prevalent within this industry.

How to Mitigate:

  • Cynet customers are protected. This threat will be detected by the Cynet endpoint scanner at runtime, on infected machines.
  • Most respected AV vendors detect this threat.
  • Monitoring for suspicious services can lead to detecting the malware’s auto run service.
  • Kwampirs may register scheduled tasks on infected machines.
  • Infection on the file system can be found in the following locations:
    • %Windir%\inf\mtmndkb32.PNF
    • %Windir%\inf\digirps.PNF
    • %Windir%\inf\mkdiawb3.PNF
    • %Windir%\inf\ie11.PNF
    • %Temp%\[FILE NAME].tmp
    • %Windir%\System32\[.DLL FILE NAME]
  • The Trojan may contact the following command -and-control domains to download additional malware or receive further commands. Blocking these on the organizational FW is recommended:
    • ikjservjfn.ca/group/main.php?q=[ENCRYPTED DATA]
    • fjrjfnjfnikjyhd.biz/users/group/index/default.aspx?q=[ENCRYPTED DATA]
    • pbnmainfjrikjikj.nl/main.php?q=[ENCRYPTED DATA]
    • 50.115.97/default.asp?q=[ENCRYPTED DATA]
    • com/newusers/main.php?q=[ENCRYPTED DATA]
    • biz/main/default/default.php?q=[ENCRYPTED DATA]
    • info/new/mainlogin.php?q=[ENCRYPTED DATA]
    • dswsite.nl/users/main.php?q=[ENCRYPTED DATA]
    • in/newnew/index/main.aspx?q=[ENCRYPTED DATA]
    • fr/mainhome/index.php?q=[ENCRYPTED DATA]
    • ca/mainhomemain.aspx?q=[ENCRYPTED DATA]
    • jfnnrjservncdn.nl/group/defaultdefaultlogin.asp?q=[ENCRYPTED DATA]
    • 19.47.135/group/homeindex.asp?q=[ENCRYPTED DATA]
    • nl/index/default.aspx?q=[ENCRYPTED DATA]
    • fjrdswkcnpowerjfn.nl/users/default.php?q=[ENCRYPTED DATA]
    • 52.54.90/default.php?q=[ENCRYPTED DATA]
    • nl/groupusers/homehomeindex.asp?q=[ENCRYPTED DATA]
    • co/group/mainloginmain.php?q=[ENCRYPTED DATA]
    • 96.137.35/main/default.asp?q=[ENCRYPTED DATA]
    • org/logindefault.php?q=[ENCRYPTED DATA]
    • ch/default/default.asp?q=[ENCRYPTED DATA]
    • fr/login.php?q=[ENCRYPTED DATA]
    • com/indexdefault.php?q=[ENCRYPTED DATA]
    • 36.79.40/users/main.asp?q=[ENCRYPTED DATA]
    • fjrnrjncdnyhdncj.com/new/main/default.asp?q=[ENCRYPTED DATA]
    • 103.89.112/new/homemain/main.aspx?q=[ENCRYPTED DATA]
    • 86.149.207/index.php?q=[ENCRYPTED DATA]
    • 31.30.28/new/main.php?q=[ENCRYPTED DATA]
    • info/usersusers/home/login/main.asp?q=[ENCRYPTED DATA]
    • dswfjrncjncdnyhd.nl/users/login/home.php?q=[ENCRYPTED DATA]
    • org/newgroup/home.php?q=[ENCRYPTED DATA]
    • 99.107.52/groupgroup/default.aspx?q=[ENCRYPTED DATA]
    • nl/groupnew/homedefault/home.php?q=[ENCRYPTED DATA]
    • tk/indexlogin/main.php?q=[ENCRYPTED DATA]
    • in/login.php?q=[ENCRYPTED DATA]
    • com/login.php?q=[ENCRYPTED DATA]
    • ch/home.php?q=[ENCRYPTED DATA]
    • ikjncdn.ch/loginindex.php?q=[ENCRYPTED DATA]
    • 120.61.142/users/default/main.aspx?q=[ENCRYPTED DATA]
    • org/default.aspx?q=[ENCRYPTED DATA]
    • yhdnrjjfnikj.in/users/home.asp?q=[ENCRYPTED DATA]
    • 140.87.79/index/loginmain.aspx?q=[ENCRYPTED DATA]
    • biz/main.php?q=[ENCRYPTED DATA]
    • ch/group/users/login/default.php?q=[ENCRYPTED DATA]
    • fr/usersusers/index.php?q=[ENCRYPTED DATA]
    • biz/new/loginindexlogin.aspx?q=[ENCRYPTED DATA]
    • ca/users/home.php?q=[ENCRYPTED DATA]
    • 38.100.106/login.php?q=[ENCRYPTED DATA]
    • mainnrj.nl/users/index/home.php?q=[ENCRYPTED DATA]
    • biz/default/homelogin.php?q=[ENCRYPTED DATA]
    • com/group/default.aspx?q=[ENCRYPTED DATA]
    • info/homehome/default.php?q=[ENCRYPTED DATA]
    • in/users/default.aspx?q=[ENCRYPTED DATA]
    • srvservikjdswnrj.in/index/home.aspx?q=[ENCRYPTED DATA]
    • com/group/users/loginindex.php?q=[ENCRYPTED DATA]
    • nl/group/main.asp?q=[ENCRYPTED DATA]
    • 72.47.18/users/users/home/indexindex.php?q=[ENCRYPTED DATA]
    • nl/new/main.asp?q=[ENCRYPTED DATA]
    • 106.41.39/groupusers/index.asp?q=[ENCRYPTED DATA]
    • in/home.asp?q=[ENCRYPTED DATA]
    • nl/default/loginlogin.php?q=[ENCRYPTED DATA]
    • biz/indexloginhome.asp?q=[ENCRYPTED DATA]
    • co/group/default.php?q=[ENCRYPTED DATA]
    • tk/homelogin.aspx?q=[ENCRYPTED DATA]
    • sitencjdswyhdserv.nl/loginhomemain.php?q=[ENCRYPTED DATA]
    • in/group/default/main/home.php?q=[ENCRYPTED DATA]
    • kcnyhd.ro/group/group/login/main/home.php?q=[ENCRYPTED DATA]
    • 42.100.90/usersgroup/home.asp?q=[ENCRYPTED DATA]
    • com/main.php?q=[ENCRYPTED DATA]
    • 116.80.23/newusers/homemain/home.php?q=[ENCRYPTED DATA]
    • 102.139.145/users/default/main.aspx?q=[ENCRYPTED DATA]
    • 59.119.64/defaultdefaultlogin.php?q=[ENCRYPTED DATA]
    • jfnncj.org/new/users/homeindex.aspx?q=[ENCRYPTED DATA]
    • fr/new/loginhome.php?q=[ENCRYPTED DATA]
    • nl/group/mainindexlogin.php?q=[ENCRYPTED DATA]
    • 22.134.10/groupusers/default.php?q=[ENCRYPTED DATA]
    • dswkcnncdnsrv.info/group/new/index.php?q=[ENCRYPTED DATA]
    • pbnmainkcn.cn/users/users/default.php?q=[ENCRYPTED DATA]
    • 11.88.108/login.php?q=[ENCRYPTED DATA]
    • 27.122.119/users/users/homeindex/login.php?q=[ENCRYPTED DATA]