The FBI has issued a warning reminding the healthcare sector and other industries about the ongoing Kwampir (Orangeworm) malware attacks on the supply chain.
Targeted industries include healthcare, software supply chain, energy, and engineering across the United States, Europe, Asia, and the Middle East, as well as financial institutions and prominent law firms. The attacks have been ongoing since 2016, the agency said.
Kwampir is a modular Remote Access Trojan (RAT) designed to gain access to victim machines. While the backdoor does not incorporate a wiper or destructive module components, there are code-based similarities with the data destruction malware Disttrack, which is also known as Shamoon.
“Targeted entities range from major transnational healthcare companies to local hospital organizations. The scope of infections has ranged from localized infected machine(s) to enterprise infections. During these campaigns, the Kwampirs RAT performed daily command and control communications with malicious IP addresses and domains that were hard-coded in the Kwampirs RAT malware,” the alert reads.
According to the FBI, the Kwampir operators compromised a large number of global hospitals via vendor software supply chain and hardware products. Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals.
The two-phased attacks begin with the threat actor establishing broad and persistent presence on a targeted network to ensure that secondary malware payloads can be delivered and executed. The second phase involves the delivery of additional Kwampirs components or malware to further exploit the infected network.
This approach allowed the threat actors to maintain presence on target networks for a long period of time ranging from 3 to 36 months.
Once a target network has been compromised, the attackers collected a wide array of information, including primary and secondary domain controllers, engineer servers used to develop and test ICS products and instruments, software development servers storing source code, and file servers used as shared repositories for research and development (R&D).
Indicators of compromise and YARA rules to identify Kwampirs malware can be found here and here.