Kwampirs malware is a backdoor Trojan that targets healthcare organizations and infects computers connected to medical equipment
Kwampirs malware is a backdoor that allows the threat actors to take over the machine and spread the malicious payload across network sahres
Kwampirs is malware with worm-like capabilities mainly used by a hacking group like Orangeworm to carry out corporate espionage attacks. According to security researchers from Symantec, who first detected and analyzed the Trojan back in January 2015, it is mainly used to attack organizations in healthcare sector in the USA, Asia, and Europe. Kwampirs malware was also used to attack other industries as a means to reach out to the main target – secondary targets include companies in IT, logistics, manufacturing, and other fields.
Kwampirs backdoor is a custom-made malware that performs required system modifications in order to gain persistence and remain undetected – essentially, it gives attackers complete control over the infected machine. After gathering enough information about the initial target, it then spreads laterally across an entire network, gathering more data in the process.
|Also known as||Trojan.Kwampirs|
|Associated groups||Orangeworm – a cybercriminal gang is operated by a small number of individuals and is unlikely to be government-sponsored|
|Targets||Healthcare organisations and its suppliers in the USA, Asia and Europe|
|Symptoms||No visual symptoms of the infection are usually present – only the presence of malicious files, processes, and services (WmiApSryEx – WMI Performance Adapter Extension) can serve as an indicator. The files are known to be copied to ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS folders|
|Removal||To get rid of Kwampirs Trojan, the infected machine should be scanned with the most up-to-date anti-malware software|
|System fix||To repair compromised system files, use Reimage Reimage Cleaner|
Kwampirs malware does not immediately deploy its main payload, but rather first analyzes the initial machine – the attackers first ensure that the target is worth infecting. The initial check includes gathering data about a network adapter, system version, and language settings – if the target is indeed what malicious actors were looking for, they proceed with further actions.
Before spreading laterally via the network, Kwampirs malware decrypts its main payload and inserts a random string into it before writing information on disk in order to avoid anti-malware software detection that works based on hash readings. This behavior is typical of polymorphic type of cyber infections. Finally, Kwampirs virus copies its main payload across network shares, infecting other machines in the process.
Kwampirs malware performs various system changes:
- Creates a new service – WmiApSryEx with display name WMI Performance Adapter Extension;
- Copies various malicious files into ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS folders;
- Downlaods additional files from Command & Control server;
- Uses rundll32.exe to modify Registry as one of the persistence mechanisms, etc.
Kwampirs is malicious software that is utilized by cybercriminal group Orangeworm to steal corporate information from a machine connected to medical equipment
Symantec researchers said that the Kwampirs virus was found on computers that are connected to high-end medical equipment, such as MRI and X-Ray, as well as machines that were used to process patient forms required for the upcoming medical procedures. Nevertheless, it turns out that the attackers are not interested in stealing credentials or stealing sensitive patient data, but rather in machines themselves.
As it turned out, Kwampirs Trojan copied images, collected lists of files, manufacturer details, processor type, hostname, list of connections, running processes, and other specific information. Nevertheless, experts noted that it is possible that new modules might be introduced if threat actors would desire so.
Carefully selected victims
According to experts’ findings, 39% of the infected hosts were coming from the healthcare industry, manufacturing – 15 %, IT – 15%, logistics 8%, agriculture – 8%, while the remaining 15% of victims were unidentified.
Researchers found that main targets of Kwampirs malware mainly originated from the US:
The biggest number of Orangeworm’s victims are located in the U.S., accounting for 17 percent of the infection rate by region. While Orangeworm has impacted only a small set of victims in 2016 and 2017 according to Symantec telemetry, we have seen infections in multiple countries due to the nature of the victims operating large international corporations.
Kwampirs Trojan is mostly prevalent among outdated systems like Windows XP, which are still widespread among various industries. In most cases, this is due to professional equipment dependency on old operating system platforms. Nevertheless, most of the old systems can still be protected with advanced anti-malware solutions.
Those infected should immediately scan the affected equipment with anti-malware software to remove Kwampirs malware and its all malicious files. For the operating system repair purposes, Reimage Reimage Cleaner can be used.
Kwampirs is a custom Trojan that is used by malicious actors to attack companies and organizations in USA, Asia, and Europe
Malware distributed via targeted attacks
Because Kwampirs is malware that attacks corporate targets, it uses targeted attack vectors to infiltrate computers of interest worldwide. In most cases, such attacks are performed via targeted phishing email attachments/hyperlinks, inadequately protected Remote Desktop connections, or exploits. As mentioned above, malware mainly targets old operating systems like Windows XP – these systems are generally flawed and risky to use.
To mitigate and prevent malware attacks, the following must be taken as a precautionary measure:
- Invest in comprehensive security software that can block most of the malware attacks;
- Enable Firefox to prevent unsolicited network intrusions;
- Apply the latest security patches to all your software as well as the operating system;
- Use complex passwords that consist of alphanumeric characters or employ a password manager;
- Configure email server in a way that all the emails with attachments would be automatically blocked;
- Protect your Remote Desktop connections properly (for example, never use a default RDP port);
- Turn off file sharing if not required for a prolonged period;
- Restrict user access to the internet – prevent from downloading files;
- Disable autoplay function to prevent executables from being launched immediately after download.
The only way to remove Kwampirs malware is by performing a full system scan with anti-virus software
Kwampirs malware is a worm, so it propagates by itself. Therefore, if you had any networked connections, it is highly likely that most or all of the connected machines got infected as well. To successfully remove Kwampirs malware, you need to isolate all the infected computers (disconnect from the network), block all the ports, and perform a full system scan with the most up-to-date anti-malware software in Safe Mode. Note, you should also disable System Restore and then restart the infected machine in order to remove the possibility of the infected files coming back.
Finally, after Kwampirs malware removal, you should change all passwords for every single machine, and only then re-establish a network connection. Note, you should also report the malware attack to the appropriate law enforcement agencies.