By Balaji Nawaz

New APT Cyber espionage group Orangeworm is targeting healthcare sectors and other medical related industries to deploy the powerful Kwampirs backdoor to compromise medical devices such as X-Ray and MRI Scan Machines.

Kwampirs backdoor was initially discovered in 2016 and is capable exploiting a potential backdoor in compromised computers to steal sensitive information and upload malicious files.

The orangeworm APT cyber group is mainly targeting healthcare sector in the U.S., Europe, Asia and have been active since 2015.

Apart From Healthcare industries, Orangeworm APT is also targeting related industries such as healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry.

Orangeworm Attack Against X-Ray and MRI Machines

Kwampirs backdoor discovered within the software that used to control the medical equipment such as X-Ray and MRI machines and also Orangeworm was recognized to have an interest in machines used to assist patients.

Most victims have been identified as in the U.S with 17 percent of the infection followed by India, Saudi Arabia and the Philippines.

Initial infection leads to compromise the network and deploy the Kwampirs backdoor that takes a remote control of the victim’s machine.

During the infection, it uses a randomly generated string to decrypt the payload to evade the signature-based detection.

It performs various tasks to maintin its persistence and collect information about the compromised computer including some basic network adapter information, system version information, and language settings.

This APT malware also investigates the strength of the victims whether the system used by a skilled person or if the victim is a high-value target.

Cybercriminals using the various command in the victim’s network to gathering the huge volume of sensitive information from network adapter information, available network shares, mapped drives, and files present on the compromised computer.

Kwampirs uses sophisticated techniques to propagate itself once inside a victim’s network by copying itself over network shares.

It establishes connections into a large amount of command & control servers. Not all the C2 servers are active but it keeps communicating with it until it makes a successful connection.

Researchers believe that this hacking group might be work of an individual or a small group of individuals.