KWAMPIRS Malware Targets Health Sector

Leave a Comment / Forensics, Generic, Malware Analysis / By /

On 31st March, Federal Bureau of Investigation reissued a FLASH alert warning all business verticals of the ongoing threats due to KWAMPIRS Malware. The design and spread of this malware is attributed to Orangeworm Attack group.

We at Ethical Securities, have studied all analysis reports from various sources, catalogued all the relevant information and summarized the relevant points for our readers.

KWAMPIRS Malware – Characteristic Features

  • It is designed to be a Remote Access Trojan (RAT)
  • Key differentiator is its Modular design; this modular design makes it difficult to fully enumerate the capabilities of the tool.
  • Targets multiple sectors like supply chain software vendors, financial, energy and health sectors
  • Depending on the type of target it encounters, it loads corresponding modules appropriate for the target
  • Engages in a Follow-on Computer Network Exploitation exercise
  • No explicit destructive module has been observed yet code-based similarities have been found with an older data destruction malware Disttrack, otherwise known as Shamoon.
  • Scope of infection ranges from local computer infection to enterprise systems infection; regular communication with malicious IP addresses (Command and Control Centres) was observed.
  • CnC IP addresses were found to be hardcoded in the RAT code.
  • Found to penetrate the network undetected, camouflaging as a legitimate component of an update from a trusted vendor; relies on the supply-chain attack to infiltrate a trusted software vendors network and use them to spread to customers.

Phases Involved in the KWAMPIRS Malware Attack

The attack involves 2 phases.
Phase 1:

  • The malware infiltrates network of customers by camouflaging itself as a component in software update of compromised software supply chain vendors and leveraging unauthenticated SMB shares.
  • Establishes a persistent and wide presence in the victim’s network
  • Continues to check for regular updates from a Command and Control Center to download the secondary modules. Modular design allows it to load modules specific to the victim network.

Phase 2:

  • It establishes a persistent and wide presence in the victim’s network
  • Communicates with CnC server, checking for updates about the secondary module
  • Secondary module, in this case the malicious payload, is delivered to exploit the vulnerable host(s).
  • Targeted network assets of the secondary module are:
    • Primary & Secondary Domain Controllers, Enterprise servers responsible to manage Industrial Control Systems (ICS) products
    • Software development servers having the source code of production applications
    • File servers

Risks Involved

  • Kwampirs’ similarity with Disttrack (Shamoon), an old data destruction malware, is an alarming thing.
  • A Hospital’s prolonged exposure to this malware, increases the chance of patient records and other confidential data being encrypted / destroyed as well as extraction of money.
  • This poses a massive threat, more so, considering the current worldwide pandemic due to COVID19.

Cost associated with such risks can be calculated not only in terms of monetary losses but also losses of human lives, if a hospital falls prey to this attack under current circumstances.

Post Infection Analysis

In a future post, we will publish the list of IOCs you can use to ensure if your network has fallen prey to this malware.

How was that?