Newcomer cybergang Orangeworm targeting healthcare sector
Newcomer cybergang Orangeworm targeting healthcare sector

The healthcare industry is under attack by a new cybergang named Orangeworm, which is striking with the Kwampirs backdoor.

The previously unknown group was identified by Symantec as it has systematically attacked healthcare sector and affiliated groups, primarily large organizations, in the United States, Europe and Asia. The related victims include equipment vendors, pharmaceuticals and IT solution providers for healthcare, Symantec reported.

Orangeworm does not exclusively target healthcare, but that sector receives the majority of the group's attention with Symantec finding that 40 percent of its attacks hitting that industry, 15 percent going after IT, manufacturing 15 percent, logistics 8 percent and the remainder against unknown targets.

“The Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures,” the report stated.

The general consensus is the malicious actors are attempting corporate espionage. Attribution, as always, is difficult, but Symantec believes Orangeworm is likely operated either by an individual or a small group and not a nation-state actor.

Jon DiMaggio, senior threat intelligence analyst for Symantec Security Response, told SC Media that not only is attribution difficult, but little is known regarding how the initial infection is accomplished.

“We are still trying to validate this information. We do have a theory, however, which is based on evidence collected in our investigation. We theorize that the victims were initially infected by phishing emails, as well as compromising medical devices that had open connections to the public facing internet. Since some medical devices run legacy technologies to run medical software, it would leave the systems vulnerable to older, easily exploitable vulnerabilities,” he said.

Once inside the malware deploys the backdoor Trojan.Kwampirs to provide the attacker with remote access to the computer. A copy of the malware's primary DLL payload is then extracted and obfuscated with some extra code before it is dropped. The software then creates persistence by loading the main payload into memory so it will be accessed upon reboot.

The attacker, through the backdoor, also collects the system's basic network adapter information, system version information, and language settings. Symantec researchers believe this data is used to determine whether the target is of high value or possibly a honeypot.

Once the target computer is judged to be a worthwhile victim, the backdoor is spread laterally to other devices on the network. It does this by copying itself over network shares, a method Symantec recognizes as old-fashioned, but one that will work well on systems running older operating systems like XP. An activity of which many healthcare facilities are guilty.

When this is accomplished Kwampirs extracts information about the networks, connected servers, the operating systems in use, hostname, routing table for network interfaces, configured MAC addresses, IP addresses and list of local accounts with administrative access.

Kwampirs also uses what Symantec described as a particularly “noisy” method of searching for a command and control server, essentially pinging a large number of C2 servers in its list until it finds one that is functioning. This makes Symantec's researchers believe the malware's owners are not concerned about being spotted, which most likely means the current attack methodology is successful and does not have to be altered.

Even though Symantec is just releasing its knowledge of the Orangeworm group to the public it has been tracking the malware and helping its victims for several years. Symantec first spotted the group in 2016, but a further examination of Symantec's telemetry allowed researchers to identify historical attacks dating back to 2015, DiMaggio said.

“While we are just now going public with the information, we have been working with victims and the healthcare community for some time now in relation to these attacks. We felt it was important from a security perspective to make the attacks public so other organizations are aware and can better protect themselves moving forward,” DiMaggio said.