Canadian organizations are among those in at least 24 countries that have been hit by a threat group apparently targeting the healthcare and related sectors, say researchers from Symantec.
In a report released Monday the security company says a group it dubs “Orangeworm” has been infecting computers with the Kwampirs backdoor trojan.
Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, Symantec said. It believes the goal is corporate espionage, as opposed to financial information.
However, in an interview today Jon DiMaggio, a Symantec senior intelligence analyst who worked on the report, said with the access gained the attacker(s) could elevate from mere snooping to destroying hard drives.
Privacy officers will be concerned that researchers say Orangeworm has an interest in PCs used to assist patients in completing consent forms for required procedures. However, the malware was also found on PCs that use and control high-tech imaging devices such as X-Ray and MRI machines.
Of the victims found by researchers, two per cent of the organizations were in Canada. The biggest number, 17 per cent, were in the U.S. Also hit were organizations in India, Saudi Arabia, the Philipines, China, Brazil and many in Europe.
“Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking,” says the report. “{Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack.”
Once a network has been infiltrated the Trojan.Kwampirs is installed, which gives the attackers remote access to the compromised computer.  Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections. To ensure persistence, a service is created to ensure that the main payload is loaded into memory when the system is rebooted.
Information about the victimized computer is collected, such as recently accessed computers, network adapter information, available network shares, mapped drives, and files present. It may also ask for a list of local accounts with administrative access. If the victim is of interest, the malware copies the backdoor across open network shares to infect other computers. “While this method is considered somewhat old, it may still be viable for environments that run older operating systems such as Windows XP,” says the report. “This method has likely proved effective within the healthcare industry, which may run legacy systems on older platforms designed for the medical community. Older systems like Windows XP are much more likely to be prevalent within this industry.”
The malware also goes through a large list of command and control servers, researchers said, not all of which are active, until it finds a connection. Apparently the gang behind the attack have made no effort to change the C&C communication protocol since its first inception. Symantec first detected Orangeworm in January 2015.
Distributing the malware across network shares and using the large list of C&C users are considered “noisy” techniques by experts. Symantec thinks these may indicate that Orangeworm group is not overly concerned with being discovered. “The fact that little has changed with the internals of Kwampirs since its first discovery may also indicate that previous mitigation methods against the malware have been unsuccessful, and that the attackers have been able to reach their intended targets despite defenders being aware of their presence within their network.”
DiMaggio said Symantec first came across evidence of the Kwampirs trojan, which he said appears to be custom malware, in 2016. After creating a signature to scan customer telemetry it discovered signs of the malware dating back to January 2015. Since the discovery in 2016 Symantec has been working with customers and investigating who might be behind the trojan, while led to yesterday’s report.
While the malware has been found on a wide range of systems, including PCs with software that make labels for prescription bottles and run X-ray machines, “it seems they’ve been doing this to move closer to what they’re actually looking for.” Once the initial malware is on a group of machines in an organization and have pulled information about them, he added, the attacker selects a smaller group to insert the backdoor — and stay on those machines for some time, seemingly to learn how the software on them works.
“When you think of motivation, that fits much more with an espionage purpose. It certainly doesn’t fit with financial gain, or stealing patient records.”
As for what CISOs should be doing, DiMaggio pointed out the way this malware spreads is by taking advantage of organizations running PCs and servers running older operating systems. If it’s too expensive to immediately move to a new OS, organizations should at least make sure operating systems are patched — if they are still supported. Segmenting these machines from the rest of the network would also limit the ability of the malware to spread through file shares. “This malware isn’t very smart, but what it does is look for an open share, and if that trust relationship is there it spreads.” Finally, consider if these machines need to touch the public-facing Internet.
Finally, he said health care vendors need to encourage software suppliers to improve security of their applications.
“Today these guys appear to be doing corporate espionage, However, with the access they have if they wanted to they could start wiping hard drives, they could start doing destructive things.”
(This article has been updated from the original to include comments from Jon DiMaggio)
