Last updated on: September 6, 2020
Operating since 2015, a threat group dubbed Orangeworm has been newly attributed to hacking and infiltrating healthcare groups around the world. Companies specifically targeted include hospitals, healthcare providers, pharmaceuticals, IT services firms serving the healthcare industry, and more. (Healthcare Informatics Institute describes this in more detail.)
The victims are specific, targeted, and global with 17% of victims in the US, 7% in India, 7% in Saudi Arabia, 5% in Philippines, 5% in Germany, Hungary and United Kingdom, with seventeen other countries each with 2% of infections. Analysts are still investigating the campaign tactics, techniques, and procedures (TTPs) of the Orangeworm group to determine their objectives whether espionage of the medical systems themselves, to steal patient data, or potential future sabotage or ransom.
The Orangeworm group is using a repurposed Trojan called Kwampirs to set up persistent remote access after they infiltrate victim organizations. Kwampirs is not especially stealthy and can be detected using indicators of compromise and activity on the target system. The Trojan evades hash-based detection by inserting a random string in its main executable so its hash is different on each system. However, Kwampirs uses consistent services names, configuration files, and similar payload DLLs on the target machine that can be used to detect it.
Qualys provides multiple detection methods for Orangeworm’s Kwampirs Trojan.
Kwampirs creates a named service as a means of persistence. AssetView indexes the name and description of all running services from Windows hosts collected by Qualys Cloud Agent.
Use the AssetView user interface to search for the Kwampirs service by service name or description:
services.name:”WmiApSrvEx” or services.description:”WMI Performance Adapter Extension”
You can create a custom dashboard widget with this search query to find any asset that has this service running and, if infected, enable trending to determine if the trend of infections is increasing or decreasing across your enterprise.
Using Vulnerability Management
QID 90065 collects Windows service name and description using authenticated scanning. Look for “WmiApSrvEx” as a service name or “WMI Performance Adapter Extension” as a service description.
Using Indication of Compromise (IOC)
Qualys IOC adds malware family detection to standard indicator of compromise file hash detection using a behavior detection model for Trojan.Kwampirs that is designed to detected known and unknown variants of this malware family.
Subscribers to IOC will automatically get this malware family detection enabled in their account to detect instances of Kwampirs.
As more information on the Orangeworm group attack techniques are discovered, this blog will be updated. Of particular interest are what vulnerabilities (CVEs) the group is targeting to infiltrate these organizations, and whether they are using known or zero-day exploits.
Qualys Cloud Platform
Qualys Cloud Platform gives you a continuous, always-on assessment of your global security and compliance posture, with 2-second visibility across all your IT assets, wherever they reside. Remotely deployable, centrally managed and self-updating, Qualys sensors come as physical or virtual appliances, or lightweight agents for user endpoints, on-premises servers and cloud instances. Nothing to install or manage, all services are accessible on the cloud via web interface.
Request an unlimited scope free trial at https://www.qualys.com/free-trial