Kwampirs malware: what it is, how it works and how to prevent it | Malware spotlight
Introduction
Supply chain compromise has become more of a concern as of late, with the appearance of COVID-19 affecting many industries — especially healthcare. Attack groups are taking advantage of this vulnerability of modern society by targeting the supply chain of ICS firms, healthcare, IT and other critical infrastructure industries.
One such malware, known as Kwampirs, has been observed using supply chain compromise during this time of crisis. Kwampirs has been taken so seriously by the FBI that they have issued multiple alerts warning impacted industries of its risk. This article will detail Kwampirs and explore what it is, how it works and how to prevent Kwampirs from impacting your organization.
Become a certified reverse engineer!
What is Kwampirs?
First discovered in 2016, Kwampirs is a Remote Access Trojan, or RAT, that targets supply chain companies that supply an array of critical infrastructure industries — from healthcare, energy and IT companies to firms that run ICS. Also known as Orangeworm (both the malware itself and its attack group), this modular advanced persistent threat is used to gain entry to victims’ networks for the purpose of accessing supply chain companies. It should be noted that financial firms and leading law firms have been reported as being secondary targets for this RAT.
In January, February and March 2020, the Federal Bureau of Investigation issued alerts warning the private sector of supply chain cyberattacks. While no specific companies or firms were mentioned by name, the FBI has made it clear that hackers have been using Kwampirs to gain access to the vendors, partners and customers of these critical industries. These FBI alerts suggest that attack groups are starting to focus more on organizations that work with energy transmission and distribution.
Of the many findings these alerts projected, the FBI released the Indicators of compromise (IOC) and YARA rules for organizations to better detect the Kwampirs malware. You can check out the Kwampirs IOCs here and YARA rules here.
Another interesting finding was the fact that Kwampirs has several code-based similarities to the modular malware Shamoon (also known as Disstrack). It should be noted that no has yet discovered a destructive or wiper component in Kwampirs as of yet, as compared to the destructiveness of Shamoon, so this similarity should be taken with more than a grain of salt.
As mentioned earlier, Kwampirs is known to target the healthcare industry and the many companies that feed into its supply chain. It has an affinity for the installation software for the control and use of imaging devices, including MRI and X-ray machines and other copier-type imaging devices that take patient or client input of a sensitive nature.
Healthcare entities often work with sensitive patient information, including payment card data (PII). As of this writing, Kwampirs has not targeted this information during attack campaigns.
How does it work?
Kwampirs has several ways that it could initially infect an enterprise network. Among those observed are phishing emails containing malicious links and SMB messages containing malicious links.
After initial infection, Kwampirs has been observed using multiple intrusion vectors to spread across networks and make the infection as wide as possible. These intrusion vectors are when vendors in the software supply chain install devices infected with Kwampirs on the organization network and cloud infrastructure during times of co-development being passed through shared internet-facing resources and lateral movement between an organization’s networks during times of mergers and acquisition.
The FBI has observed that Kwampirs campaigns use a two-phased approach to their attacks. The first phase is the delivery and execution of secondary malicious payloads. In the second phase, Kwampirs delivers additional malicious payloads and Kwampirs components to further the exploitation of infected hosts.
The APT group behind Kwampirs has successfully maintained a persistent presence on infected networks from anywhere between three and 36 months. During this time, a secondary Kwampirs module is deployed, which allows for ongoing detailed reconnaissance of infected networks.
The most unsavory thing about Kwampirs in this day and age is the devastating impact of an additional Kwampirs module (ransomware, for example) unleashed upon a healthcare provider on the front lines with an undiscovered Kwampirs infection. The cost of both human lives and money could be astronomical.
How to prevent Kwampirs
Kwampirs is known to have an aggressive approach to propagation once within a network and can be often found on imaging devices. This does not mean the right approach should be to detect it on these devices. Rather, prevention begins with the proverbial low-hanging fruit. This means that regular end points, which would be the initial infection point, are what organization cybersecurity teams should focus on because the infection will be managed when it is at its smallest.
The FBI has forwarded some recommendations for Kwampirs prevention, including:
- Implementation of a least-privileges policy on web servers
- Use of a demilitarized zone (DMZ) between the organization network and internet-facing systems
- Not using default, factory-set login credentials
- Blocking access to administration panels for external connections
Conclusion
While not a new threat, the Kwampirs malware has seen a spike in activity recently and this can be connected back to the COVID-19 crisis. After initial infection, it aggressively spreads throughout impacted networks, with the infection lasting as long as 36 months.
Kwampirs will probably not be going away anytime soon and we do not yet know the full extent of the disruption and destruction it will cause. But with the recent FBI alerts and tips, we can prevent and mitigate Kwampirs infections and help keep critical industries safe.
Become a certified reverse engineer!
Sources
- FBI Warns of ‘Kwampirs’ Malware Supply Chain Attacks, BankInfoSecurity
- FBI Warns of Supply Sector Software Providers to Watch Out for Kwampirs Malware, SecurityIntelligence
- FBI Again Alerts to Kwampirs Malware Supply Chain Cyberattacks, Health IT Security
- Hackers Target Supply Chain Companies with “Kwampirs” Malware, CISO Mag
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Kwampirs malware: what it is, how it works and how to prevent it | Malware spotlight
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis