Delaware, USA – April 24, 2018 – Researchers from Symantec discovered a new hacker group that targets organizations tied to the healthcare industry in the United States, Europe and Asia. Orangeworm APT group is active at least since January 2015, attackers use custom backdoor Kwampirs to obtain remote access to infected systems. Malware can avoid detection by hash-based security solutions, it collects information about the system and the network, transfers it to Command & Control server, and then copies itself to all open network shares. After initial infection, Kwampirs doesn’t try to act silently: its lateral movement and connections to C&C servers leave too many traces in logs. But through it all, Orangeworm APT group managed to operate under the radar for three years and their tools and techniques have not experienced any significant changes.
Attackers’ objectives are not yet obvious. The primary goal of the campaign can be stealing medical records for subsequent sale on underground resources. Their attacks also can be a part of corporate espionage campaign, since they backdoored systems connected to high-tech medical equipment. Aggressive behavior of the backdoor allows detecting it using SIEM and APT Framework use case, which alerts administrators about malware lateral movement attempts and suspicious connections.