Researchers from Symantec have discovered a new hacking group named Orangeworm targeting health sectors in U.S, Europe, and Asia.
The attack was first observed in January 2015 and Attackers were observed deploying a custom-made malware named Kwampirs a backdoor trojan which provides the attackers with remote access to the target computer.
When the malware is executed, it decrypts and extracts a copy of its main DLL payload from its resource section. The malware also inserts a randomly generated string into the middle of decrypted payload to avoid hash based detections.
“To ensure persistence, Kwampirs creates a service with the following configuration to ensure that the main payload is loaded into memory upon system reboot:
“The backdoor also collects some rudimentary information about the compromised computer including some basic network adapter information, system version information, and language settings.”
Once the malware is infected, it goes through the large no of command and control (C&C) servers stored within the malware. In the large list, not all C&Cs are active, and it continues to beacon until the connection is established.
The attackers were also observed targeting organization which are related to health sectors such as healthcare providers, manufacturers, pharmaceuticals and IT solution providers.
According to Symantec, 40 percent of Orangeworm’s targets were organizations operating in the healthcare industry. In that 17% of victims were situated in the U.S.
Researchers also discovered the Kwampirs malware in machines such as X-Ray, MRI and in machines which helps patients to complete forms and other procedures.
“At this point, the attackers proceed to gather as much additional information about the victim’s network as possible, including any information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives, and files present on the compromised computer.” said in the post published by Symantec.
The malware uses the methods which is only viable to systems which run older operating system such Windows XP which is why they target healthcare industry in which most organization still uses Windows XP as their operating system.