Malware analysis

Kwampirs malware: what it is, how it works and how to prevent it | Malware spotlight

Greg Belding
May 13, 2020 by
Greg Belding

Introduction

Supply chain compromise has become more of a concern as of late, with the appearance of COVID-19 affecting many industries — especially healthcare. Attack groups are taking advantage of this vulnerability of modern society by targeting the supply chain of ICS firms, healthcare, IT and other critical infrastructure industries. 

One such malware, known as Kwampirs, has been observed using supply chain compromise during this time of crisis. Kwampirs has been taken so seriously by the FBI that they have issued multiple alerts warning impacted industries of its risk. This article will detail Kwampirs and explore what it is, how it works and how to prevent Kwampirs from impacting your organization.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

What is Kwampirs?

First discovered in 2016, Kwampirs is a Remote Access Trojan, or RAT, that targets supply chain companies that supply an array of critical infrastructure industries — from healthcare, energy and IT companies to firms that run ICS. Also known as Orangeworm (both the malware itself and its attack group), this modular advanced persistent threat is used to gain entry to victims’ networks for the purpose of accessing supply chain companies. It should be noted that financial firms and leading law firms have been reported as being secondary targets for this RAT.

In January, February and March 2020, the Federal Bureau of Investigation issued alerts warning the private sector of supply chain cyberattacks. While no specific companies or firms were mentioned by name, the FBI has made it clear that hackers have been using Kwampirs to gain access to the vendors, partners and customers of these critical industries. These FBI alerts suggest that attack groups are starting to focus more on organizations that work with energy transmission and distribution.

Of the many findings these alerts projected, the FBI released the Indicators of compromise (IOC) and YARA rules for organizations to better detect the Kwampirs malware. You can check out the Kwampirs IOCs here and YARA rules here.

Another interesting finding was the fact that Kwampirs has several code-based similarities to the modular malware Shamoon (also known as Disstrack). It should be noted that no has yet discovered a destructive or wiper component in Kwampirs as of yet, as compared to the destructiveness of Shamoon, so this similarity should be taken with more than a grain of salt.

As mentioned earlier, Kwampirs is known to target the healthcare industry and the many companies that feed into its supply chain. It has an affinity for the installation software for the control and use of imaging devices, including MRI and X-ray machines and other copier-type imaging devices that take patient or client input of a sensitive nature.

Healthcare entities often work with sensitive patient information, including payment card data (PII). As of this writing, Kwampirs has not targeted this information during attack campaigns.

How does it work?

Kwampirs has several ways that it could initially infect an enterprise network. Among those observed are phishing emails containing malicious links and SMB messages containing malicious links.

After initial infection, Kwampirs has been observed using multiple intrusion vectors to spread across networks and make the infection as wide as possible. These intrusion vectors are when vendors in the software supply chain install devices infected with Kwampirs on the organization network and cloud infrastructure during times of co-development being passed through shared internet-facing resources and lateral movement between an organization’s networks during times of mergers and acquisition.

The FBI has observed that Kwampirs campaigns use a two-phased approach to their attacks. The first phase is the delivery and execution of secondary malicious payloads. In the second phase, Kwampirs delivers additional malicious payloads and Kwampirs components to further the exploitation of infected hosts.

The APT group behind Kwampirs has successfully maintained a persistent presence on infected networks from anywhere between three and 36 months. During this time, a secondary Kwampirs module is deployed, which allows for ongoing detailed reconnaissance of infected networks.

The most unsavory thing about Kwampirs in this day and age is the devastating impact of an additional Kwampirs module (ransomware, for example) unleashed upon a healthcare provider on the front lines with an undiscovered Kwampirs infection. The cost of both human lives and money could be astronomical.

How to prevent Kwampirs

Kwampirs is known to have an aggressive approach to propagation once within a network and can be often found on imaging devices. This does not mean the right approach should be to detect it on these devices. Rather, prevention begins with the proverbial low-hanging fruit. This means that regular end points, which would be the initial infection point, are what organization cybersecurity teams should focus on because the infection will be managed when it is at its smallest. 

The FBI has forwarded some recommendations for Kwampirs prevention, including:

  • Implementation of a least-privileges policy on web servers
  • Use of a demilitarized zone (DMZ) between the organization network and internet-facing systems
  • Not using default, factory-set login credentials
  • Blocking access to administration panels for external connections

Conclusion

While not a new threat, the Kwampirs malware has seen a spike in activity recently and this can be connected back to the COVID-19 crisis. After initial infection, it aggressively spreads throughout impacted networks, with the infection lasting as long as 36 months. 

Kwampirs will probably not be going away anytime soon and we do not yet know the full extent of the disruption and destruction it will cause. But with the recent FBI alerts and tips, we can prevent and mitigate Kwampirs infections and help keep critical industries safe.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

 

Sources

  1. FBI Warns of ‘Kwampirs’ Malware Supply Chain Attacks, BankInfoSecurity
  2. FBI Warns of Supply Sector Software Providers to Watch Out for Kwampirs Malware, SecurityIntelligence
  3. FBI Again Alerts to Kwampirs Malware Supply Chain Cyberattacks, Health IT Security
  4. Hackers Target Supply Chain Companies with “Kwampirs” Malware, CISO Mag
Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.