‘Orangeworm’ Virus Targets Healthcare Sector
Hackers known as Orangeworm are installing a backdoor malware called Trojan.Kwampirs within large corporations in the healthcare sector in the United States, Europe, and Asia, the cyber-defense firm Symantec says.
“First identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims,” Symantec says in a blog post.
“Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage,” Symantec says.
Kwampirs was found on software used for X-Rays and MRIs, and the malware also targets systems used to assist patients in completing consent forms for required procedures.
Orangeworm’s motives with the Kwampirs malware are not clear, but Symantec says it is likely the work of an individual or a small group of hackers, and the goal is corporate espionage.
Based on the list of known victims, Symantec says Orangeworm appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack.
According to Symantec telemetry, almost 40% of Orangeworm’s confirmed victim companies globally are in the healthcare industry. Of those healthcare companies, the biggest number of victims are in the United States, which accounts for 17% of infections.
Once Orangeworm has infiltrated a victim’s network, they deploy Trojan.Kwampirs, a backdoor Trojan that provides the attackers with remote access to the compromised computer, Symantec says.
“Once inside, Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections,” Symantec says.
If Orangeworm determines that a victim is of interest, it aggressively copies the backdoor across open network shares to infect other computers.
The malware gathers as much information about the victim’s network as possible, including any information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives, and files present on the compromised computer.
Symantec says that Kwampirs uses a fairly aggressive means to propagate itself once inside a victim’s network by copying itself over network shares.
“While this method is considered somewhat old, it may still be viable for environments that run older operating systems such as Windows XP,” Symantec says.
“This method has likely proved effective within the healthcare industry, which may run legacy systems on older platforms designed for the medical community. Older systems like Windows XP are much more likely to be prevalent within this industry.”