Orangeworm  (Back to overview)

Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia. First identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage.

---

Associated Families

---

References

2021-03-21 ⋅ Blackberry ⋅ Blackberry Research @techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot

2020-07-29 ⋅ Atlantic Council ⋅ Trey Herr, June Lee, William Loomis, Stewart Scott @techreport{herr:20200729:breaking:d37db04, author = {Trey Herr and June Lee and William Loomis and Stewart Scott}, title = {{BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain}}, date = {2020-07-29}, institution = {Atlantic Council}, url = {https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf}, language = {English}, urldate = {2020-08-05} } BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain EternalPetya GoldenSpy Kwampirs Stuxnet

2020-03-31 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20200331:fbi:91630df, author = {Catalin Cimpanu}, title = {{FBI re-sends alert about supply chain attacks for the third time in three months}}, date = {2020-03-31}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-re-sends-alert-about-supply-chain-attacks-for-the-third-time-in-three-months/}, language = {English}, urldate = {2020-04-07} } FBI re-sends alert about supply chain attacks for the third time in three months Kwampirs

2020-03-25 ⋅ FBI ⋅ FBI @online{fbi:20200325:fbi:f2ba305, author = {FBI}, title = {{FBI Flash CP-000111-MW: Kwampirs Malware Indicators of Compromise Employed in Ongoing Cyber Supply Chain Campaign Targeting Global Industries}}, date = {2020-03-25}, organization = {FBI}, url = {http://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html}, language = {English}, urldate = {2020-04-07} } FBI Flash CP-000111-MW: Kwampirs Malware Indicators of Compromise Employed in Ongoing Cyber Supply Chain Campaign Targeting Global Industries Kwampirs

2020-03-25 ⋅ Reversing Labs ⋅ Karlo Zanki @online{zanki:20200325:unpacking:0d7085a, author = {Karlo Zanki}, title = {{Unpacking the Kwampirs RAT}}, date = {2020-03-25}, organization = {Reversing Labs}, url = {https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat}, language = {English}, urldate = {2020-03-26} } Unpacking the Kwampirs RAT Kwampirs

2020-02-10 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20200210:fbi:1904430, author = {Catalin Cimpanu}, title = {{FBI warns about ongoing attacks against software supply chain companies}}, date = {2020-02-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/}, language = {English}, urldate = {2020-02-11} } FBI warns about ongoing attacks against software supply chain companies DistTrack Kwampirs

2019-03-13 ⋅ Security Art Work ⋅ Lab52 @online{lab52:20190313:orangeworm:396a091, author = {Lab52}, title = {{ORANGEWORM GROUP – KWAMPIRS ANALYSIS UPDATE}}, date = {2019-03-13}, organization = {Security Art Work}, url = {https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/}, language = {English}, urldate = {2020-01-06} } ORANGEWORM GROUP – KWAMPIRS ANALYSIS UPDATE Kwampirs

2019 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:2019:orangeworm:7b6180d, author = {MITRE ATT&CK}, title = {{Group description: Orangeworm}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0071/}, language = {English}, urldate = {2019-12-20} } Group description: Orangeworm Orangeworm

2018-04-23 ⋅ Symantec ⋅ Security Response Attack Investigation Team @online{team:20180423:new:7b44d39, author = {Security Response Attack Investigation Team}, title = {{New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia}}, date = {2018-04-23}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia}, language = {English}, urldate = {2020-01-13} } New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia Kwampirs Orangeworm

---

Credits: MISP Project