Everything You Should Know About the deadly Orangeworm virus
A Hacker Group who calls themselves "Orangeworm" has created the malware called Trojan.Kwampirs. Basically, "Orangeworm" group is installing Trojan.kwampirs malware within the large corporation in the healthcare industries. Mostly this attacks happened in the United States, Europe, and Asia and still happening in major countries like above.
Symantec Corporation(Cyber Defence Firm) said in blogs post that:
They have first identified this attack in January 2015, Orangeworm group has also executed the targeted attacks against organizations and in related industries as part of a larger supply-chain attack in order to reach their intended Victims.
Mostly Victims are:
1. Healthcare Providers.
2. Pharmaceuticals.
3. IT Solutions Providers for healthcare.
4. Equipment Manufacturers for Healthcare Industries.
This group "Orangeworm" targets victims carefully and intentionally, conducting a good amount of planning before launching an attack.In short, they gather all information which is related to the target.
[Images have taken from the internet sources:]
As per cyber security/defense(Symantec) firm survey, Nearly Forty percent of victims organizations run in the Healthcare industries. In reports or survey, they found that Trojan kwampirs malware was identified on software programs which are used for controlling X-Ray machines and MRI machines."Orangeworm" was also noticed to have a great interest in devices used to assist patients in completing consent forms for required procedures. The exact reason of this is unclear yet.
Fig(Source - Internet): Percentage chart for "Orangeworm" victims is located in the Worldwide.
Number of "Orangeworms" malware victims in worldwide:
United States: 17%
Unknown: 10%
India: 7%
Saudi Arabia: 7%
Philippines: 5%
Germany: 5%
Hungary: 5%
United Kingdom: 5%
Poland: 2%
Sweden: 2%
Hong Kong: 2%
France: 2%
China: 2%
Japan: 2%
Portugal: 2%
Turkey: 2%
Spain: 2%
Canada: 2%
Switzerland: 2%
Norway: 2%
Chile: 2%
Brazil: 2%
Belgium: 2%
Malaysia: 2%
Netherland: 2%
How this malware works and harms industries:
Once "Orangeworms" has breached the victim's Network, they deploy the Kwampirs trojan in systems then Kwampirs trojan provides the remote access of victims computer to attacker or hacker.
After executing Kwampirs trojan, it decrypts the mail DLL payload and extracts it to the destination from its resource section.
Just Before writing the payload to disk, it inserts a randomly generated strings into the midsection of the decrypted payload in an attempt to avoid hash-based detections.
To make sure persistence, Kwampirs creates a service with the following configuration to make sure that the primary payload is loaded into memory when the system restarts the pc:
Service Name: WmiApSryEx
Display Name: WMI Performance Adapter Extensions
Start Type: SERVICE_AUTO_START
Binary: Pathname: %Windows%\System32\
Command: rundll32.exe "%Windows%\System32\" ControlTrace -Embedding -k
Kwampirs backdoor also collects some basic information from the compromised/victims computers like:
1. Network Adapter Information
2. System Version Information
3. Language Setting
With basic information of target or victim, "Orangeworm" group identify the victims is the high-value target or not.
Once Orangeworm determines that a potential victim is of interest, it proceeds to aggressively copy the backdoor across open network shares to infect other computers.
It may possibly copy itself to the following hidden file shares:
1. ADMIN$
2. C$WINDOWS
3. D$WINDOWS
4. E$WINDOWS
Information gathering:
In this process, attackers gather or collect additional information as much possible.
They gather some information about target or victims like:
1. Information pertaining to recently accessed computers.
2. Network Adapter Information.
3. Available Network Shares.
4. Mapped Drives.
5. Present file of computers.
According to Symantec, they have observed the hackers or attackers executing the following commands within compromised and victims computer:
(Image source: Symantec Corporation)
According to Symantec
"Kwampirs uses a fairly aggressive means to propagate itself once inside a victim's network by copying itself over network shares."How to Protect Your Computers From "Orangeworm" Virus?
You should buy some anti virus programs to protect your computers:As per my research, you should purchase:
[Product list will be upload soon]
Some References:
https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia
http://www.healthleadersmedia.com/technology/orangeworm-virus-targets-healthcare-sector
