SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kwampirs (Back to overview)

Kwampirs

Actor(s): Orangeworm


Kwampirs is a family of malware which uses SMB to spread. It typically will not execute or deploy in environments in which there is no publicly available admin$ share. It is a fully featured backdoor which can download additional modules. Typical C2 traffic is over HTTP and includes "q=[ENCRYPTED DATA]" in the URI.

References
2020-07-29Atlantic CouncilTrey Herr, June Lee, William Loomis, Stewart Scott
@techreport{herr:20200729:breaking:d37db04, author = {Trey Herr and June Lee and William Loomis and Stewart Scott}, title = {{BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain}}, date = {2020-07-29}, institution = {Atlantic Council}, url = {https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf}, language = {English}, urldate = {2020-08-05} } BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain
EternalPetya GoldenSpy Kwampirs Stuxnet
2020-03-31ZDNetCatalin Cimpanu
@online{cimpanu:20200331:fbi:91630df, author = {Catalin Cimpanu}, title = {{FBI re-sends alert about supply chain attacks for the third time in three months}}, date = {2020-03-31}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-re-sends-alert-about-supply-chain-attacks-for-the-third-time-in-three-months/}, language = {English}, urldate = {2020-04-07} } FBI re-sends alert about supply chain attacks for the third time in three months
Kwampirs
2020-03-25FBIFBI
@online{fbi:20200325:fbi:f2ba305, author = {FBI}, title = {{FBI Flash CP-000111-MW: Kwampirs Malware Indicators of Compromise Employed in Ongoing Cyber Supply Chain Campaign Targeting Global Industries}}, date = {2020-03-25}, organization = {FBI}, url = {http://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html}, language = {English}, urldate = {2020-04-07} } FBI Flash CP-000111-MW: Kwampirs Malware Indicators of Compromise Employed in Ongoing Cyber Supply Chain Campaign Targeting Global Industries
Kwampirs
2020-03-25Reversing LabsKarlo Zanki
@online{zanki:20200325:unpacking:0d7085a, author = {Karlo Zanki}, title = {{Unpacking the Kwampirs RAT}}, date = {2020-03-25}, organization = {Reversing Labs}, url = {https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat}, language = {English}, urldate = {2020-03-26} } Unpacking the Kwampirs RAT
Kwampirs
2020-02-10ZDNetCatalin Cimpanu
@online{cimpanu:20200210:fbi:1904430, author = {Catalin Cimpanu}, title = {{FBI warns about ongoing attacks against software supply chain companies}}, date = {2020-02-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/}, language = {English}, urldate = {2020-02-11} } FBI warns about ongoing attacks against software supply chain companies
DistTrack Kwampirs
2019-03-13Security Art WorkLab52
@online{lab52:20190313:orangeworm:396a091, author = {Lab52}, title = {{ORANGEWORM GROUP – KWAMPIRS ANALYSIS UPDATE}}, date = {2019-03-13}, organization = {Security Art Work}, url = {https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/}, language = {English}, urldate = {2020-01-06} } ORANGEWORM GROUP – KWAMPIRS ANALYSIS UPDATE
Kwampirs
2018-04-23SymantecSecurity Response Attack Investigation Team
@online{team:20180423:new:7b44d39, author = {Security Response Attack Investigation Team}, title = {{New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia}}, date = {2018-04-23}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia}, language = {English}, urldate = {2020-01-13} } New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia
Kwampirs Orangeworm
Yara Rules
[TLP:WHITE] win_kwampirs_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_kwampirs_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd3 6a00 6880000000 6a02 6a00 6a01 }
            // n = 6, score = 500
            //   ffd3                 | call                ebx
            //   6a00                 | push                0
            //   6880000000           | push                0x80
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   6a01                 | push                1

        $sequence_1 = { 50 6a01 56 8b0f 51 e8???????? }
            // n = 6, score = 500
            //   50                   | push                eax
            //   6a01                 | push                1
            //   56                   | push                esi
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_2 = { c745fcfeffffff e8???????? b001 8b4df0 }
            // n = 4, score = 500
            //   c745fcfeffffff       | mov                 dword ptr [ebp - 4], 0xfffffffe
            //   e8????????           |                     
            //   b001                 | mov                 al, 1
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]

        $sequence_3 = { 8be5 5d c3 32c0 8b4df0 64890d00000000 59 }
            // n = 7, score = 500
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   32c0                 | xor                 al, al
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx
            //   59                   | pop                 ecx

        $sequence_4 = { 668955f6 e8???????? 83c40c 33d2 6806020000 }
            // n = 5, score = 500
            //   668955f6             | mov                 word ptr [ebp - 0xa], dx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   33d2                 | xor                 edx, edx
            //   6806020000           | push                0x206

        $sequence_5 = { 50 ffd6 8b4dc4 51 }
            // n = 4, score = 500
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   8b4dc4               | mov                 ecx, dword ptr [ebp - 0x3c]
            //   51                   | push                ecx

        $sequence_6 = { 8bec 81ec580c0000 a1???????? 33c5 8945f8 }
            // n = 5, score = 500
            //   8bec                 | mov                 ebp, esp
            //   81ec580c0000         | sub                 esp, 0xc58
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945f8               | mov                 dword ptr [ebp - 8], eax

        $sequence_7 = { 6a01 56 8b0f 51 e8???????? 83c418 }
            // n = 6, score = 500
            //   6a01                 | push                1
            //   56                   | push                esi
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18

        $sequence_8 = { 50 8d8dbcf3ffff 51 ff15???????? }
            // n = 4, score = 500
            //   50                   | push                eax
            //   8d8dbcf3ffff         | lea                 ecx, [ebp - 0xc44]
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_9 = { ba02000000 f7e2 0f90c1 53 56 57 f7d9 }
            // n = 7, score = 500
            //   ba02000000           | mov                 edx, 2
            //   f7e2                 | mul                 edx
            //   0f90c1               | seto                cl
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   f7d9                 | neg                 ecx

    condition:
        7 of them and filesize < 2695168
}
[TLP:WHITE] win_kwampirs_w0   (20180424 | Kwampirs dropper and main payload components)
rule win_kwampirs_w0 {
    meta:
        copyright = "Symantec"
        family = "Kwampirs"
        description = "Kwampirs dropper and main payload components"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs"
        malpedia_version = "20180424"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
 
    strings:        
        $pubkey =
        {
            06 02 00 00 00 A4 00 00 52 53 41 31 00 08 00 00
            01 00 01 00 CD 74 15 BC 47 7E 0A 5E E4 35 22 A5
            97 0C 65 BE E0 33 22 F2 94 9D F5 40 97 3C 53 F9
            E4 7E DD 67 CF 5F 0A 5E F4 AD C9 CF 27 D3 E6 31
            48 B8 00 32 1D BE 87 10 89 DA 8B 2F 21 B4 5D 0A
            CD 43 D7 B4 75 C9 19 FE CC 88 4A 7B E9 1D 8C 11
            56 A6 A7 21 D8 C6 82 94 C1 66 11 08 E6 99 2C 33
            02 E2 3A 50 EA 58 D2 A7 36 EE 5A D6 8F 5D 5D D2
            9E 04 24 4A CE 4C B6 91 C0 7A C9 5C E7 5F 51 28
            4C 72 E1 60 AB 76 73 30 66 18 BE EC F3 99 5E 4B
            4F 59 F5 56 AD 65 75 2B 8F 14 0C 0D 27 97 12 71
            6B 49 08 84 61 1D 03 BA A5 42 92 F9 13 33 57 D9
            59 B3 E4 05 F9 12 23 08 B3 50 9A DA 6E 79 02 36
            EE CE 6D F3 7F 8B C9 BE 6A 7E BE 8F 85 B8 AA 82
            C6 1E 14 C6 1A 28 29 59 C2 22 71 44 52 05 E5 E6
            FE 58 80 6E D4 95 2D 57 CB 99 34 61 E9 E9 B3 3D
            90 DC 6C 26 5D 70 B4 78 F9 5E C9 7D 59 10 61 DF
            F7 E4 0C B3
        }
 
        $network_xor_key =
        {
            B7 E9 F9 2D F8 3E 18 57 B9 18 2B 1F 5F D9 A5 38
            C8 E7 67 E9 C6 62 9C 50 4E 8D 00 A6 59 F8 72 E0
            91 42 FF 18 A6 D1 81 F2 2B C8 29 EB B9 87 6F 58
            C2 C9 8E 75 3F 71 ED 07 D0 AC CE 28 A1 E7 B5 68
            CD CF F1 D8 2B 26 5C 31 1E BC 52 7C 23 6C 3E 6B
            8A 24 61 0A 17 6C E2 BB 1D 11 3B 79 E0 29 75 02
            D9 25 31 5F 95 E7 28 28 26 2B 31 EC 4D B3 49 D9
            62 F0 3E D4 89 E4 CC F8 02 41 CC 25 15 6E 63 1B
            10 3B 60 32 1C 0D 5B FA 52 DA 39 DF D1 42 1E 3E
            BD BC 17 A5 96 D9 43 73 3C 09 7F D2 C6 D4 29 83
            3E 44 44 6C 97 85 9E 7B F0 EE 32 C3 11 41 A3 6B
            A9 27 F4 A3 FB 2B 27 2B B6 A6 AF 6B 39 63 2D 91
            75 AE 83 2E 1E F8 5F B5 65 ED B3 40 EA 2A 36 2C
            A6 CF 8E 4A 4A 3E 10 6C 9D 28 49 66 35 83 30 E7
            45 0E 05 ED 69 8D CF C5 40 50 B1 AA 13 74 33 0F
            DF 41 82 3B 1A 79 DC 3B 9D C3 BD EA B1 3E 04 33
        }
          
        $decrypt_string =
        {
            85 DB 75 09 85 F6 74 05 89 1E B0 01 C3 85 FF 74
            4F F6 C3 01 75 4A 85 F6 74 46 8B C3 D1 E8 33 C9
            40 BA 02 00 00 00 F7 E2 0F 90 C1 F7 D9 0B C8 51
            E8 12 28 00 00 89 06 8B C8 83 C4 04 33 C0 85 DB
            74 16 8B D0 83 E2 0F 8A 92 1C 33 02 10 32 14 38
            40 88 11 41 3B C3 72 EA 66 C7 01 00 00 B0 01 C3
            32 C0 C3
        }
          
        $init_strings =
        {
            55 8B EC 83 EC 10 33 C9 B8 0D 00 00 00 BA 02 00
            00 00 F7 E2 0F 90 C1 53 56 57 F7 D9 0B C8 51 E8
            B3 27 00 00 BF 05 00 00 00 8D 77 FE BB 4A 35 02
            10 2B DE 89 5D F4 BA 48 35 02 10 4A BB 4C 35 02
            10 83 C4 04 2B DF A3 C8 FC 03 10 C7 45 FC 00 00
            00 00 8D 4F FC 89 55 F8 89 5D F0 EB 06
        }
          
    condition:
        2 of them
}
[TLP:WHITE] win_kwampirs_w1   (20200211 | Kwampirs installer xor keys and Unicode string length routine)
rule win_kwampirs_w1 {
    meta:
        yara_version = "3.7.0"
        date = "14 Jan 20"
        description = "Kwampirs installer xor keys and Unicode string length routine"
        source = "https://twitter.com/pancak3lullz/status/1225536379834290177"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs"
        malpedia_version = "20200211"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $string_key = { 6C 35 E3 31 1B 23 F9 C9 65 EB F3 07 93 33 F2 A3 }
        $resource_key = { 28 99 B6 17 63 33 EE 22 97 97 55 B5 7A C4 E1 A4 }
        $strlenW = { 33 C0 85 C9 74 17 80 3C 41 00 75 07 80 7C 41 01 00 74 0A 3D 00 94 35 77 73 03 40 EB E9 C3 }
    condition:
        uint16(0) == 0x5a4d and 2 of them
}
[TLP:WHITE] win_kwampirs_w2   (20200211 | Kwampirs implant xor and rsa keys)
rule win_kwampirs_w2 {
    meta:
        yara_version = "3.7.0"
        date = "14 Jan 20"
        description = "Kwampirs implant xor and rsa keys"
        source = "https://twitter.com/pancak3lullz/status/1225536379834290177"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs"
        malpedia_version = "20200211"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $string_key = { 6C 35 E3 31 1B 23 F9 C9 65 EB F3 07 93 33 F2 A3 }
        $beacon_key = { 28 30 A4 3F 6D 28 04 23 36 2A 32 DC AD 0B A0 4B E8 20 1F 64 84 0A F4 C4 C7 8A 8D C0 A2 C4 40 19 A1
        43 82 38 14 FD 6C 90 E0 7E 2A 40 DF D3 F2 3E 72 38 C4 96 4D 98 7C 16 3B 3C E7 27 B7 D0 EF 7B 3C 45 06 9A 69 0D 6A 41 18
        95 95 46 88 CC 19 6F EB 6B 5B F8 51 E4 2E E1 E6 8F 44 CF 20 2F 2B DE 7A 28 5D DB 55 5A 1A 35 AF D8 5F 57 B8 0F A5 F7 08
        4A D0 AB E5 95 31 A1 25 31 00 65 3C 70 73 99 42 0A 02 1A 69 D9 A6 DF 14 B2 05 DD A8 DF F5 D9 71 6D 6E 96 5F 1B D1 0F 8E
        0A 35 D4 65 FA 90 58 CC 75 02 92 B7 2C 46 ED 66 33 44 75 FC A4 E0 FD B8 C8 B5 0C 3A 84 D9 23 16 A4 AF 3B 57 C6 D2 5C B3
        AB 9C CD F0 B2 A4 51 43 D3 F0 30 21 B5 ED 25 E3 64 B7 0C 1C A8 50 3A FF 6B 2C 32 06 B2 D1 54 3D 86 B9 1A BF 59 D7 92 59
        EC 40 4A 8D B0 E7 9A 9A 0D 94 19 27 D8 6D AD 5C 3E BE 14 67 DC F0 92 }
        $download_key = { B7 E9 F9 2D F8 3E 18 57 B9 18 2B 1F 5F D9 A5 38 C8 E7 67 E9 C6 62 9C 50 4E 8D 00 A6 59 F8 72 E0
        91 42 FF 18 A6 D1 81 F2 2B C8 29 EB B9 87 6F 58 C2 C9 8E 75 3F 71 ED 07 D0 AC CE 28 A1 E7 B5 68 CD CF F1 D8 2B 26 5C 31
        1E BC 52 7C 23 6C 3E 6B 8A 24 61 0A 17 6C E2 BB 1D 11 3B 79 E0 29 75 02 D9 25 31 5F 95 E7 28 28 26 2B 31 EC 4D B3 49 D9
        62 F0 3E D4 89 E4 CC F8 02 41 CC 25 15 6E 63 1B 10 3B 60 32 1C 0D 5B FA 52 DA 39 DF D1 42 1E 3E BD BC 17 A5 96 D9 43 73
        3C 09 7F D2 C6 D4 29 83 3E 44 44 6C 97 85 9E 7B F0 EE 32 C3 11 41 A3 6B A9 27 F4 A3 FB 2B 27 2B B6 A6 AF 6B 39 63 2D 91
        75 AE 83 2E 1E F8 5F B5 65 ED B3 40 EA 2A 36 2C A6 CF 8E 4A 4A 3E 10 6C 9D 28 49 66 35 83 30 E7 45 0E 05 ED 69 8D CF C5
        40 50 B1 AA 13 74 33 0F DF 41 82 3B 1A 79 DC 3B 9D C3 BD EA B1 3E 04 33 }
        $hashfile_key = { FE FE F5 5C 37 54 A1 6C 28 84 ED BF 84 70 25 41 56 24 37 32 98 9F A0 35 48 F3 1C 33 2E F9 D0 A3 7D
        36 BA 66 ED FB 52 E3 8B 07 32 5A 1A DD 19 0A F0 73 A8 C6 61 3F 3F 31 8A 93 AB F4 19 AA D8 42 3B 3E 6E FC 0A 2A 41 1B 28
        33 7F 79 27 41 81 14 D0 0B 24 06 4C 35 B3 23 5C F2 E4 06 7D 73 93 1C 7A 30 8E 87 74 0F 53 F9 92 A3 CA 20 E3 A1 12 E1 6B
        86 62 B6 CC C1 45 C9 43 43 15 59 BE 5A 77 31 D8 36 5F BD F6 D7 09 65 42 3C CD 2C B1 C1 28 55 6E F9 91 3C 55 3B DF EB ED
        BF 84 70 25 41 56 24 37 32 98 9F A0 35 48 F3 1C 33 2E F9 D0 A3 7D 36 BA 66 ED FB 52 E3 8B 07 32 5A 1A DD 19 0A F0 73 A8
        C6 61 3F 3F 31 8A 93 AB F4 19 AA D8 42 3B 3E 6E FC 0A 2A 41 1B 28 33 7F 79 27 41 81 14 D0 0B 24 06 4C 35 B3 23 5C F2 E4
        06 7D 73 93 1C 7A 30 8E 87 74 0F 53 F9 92 A3 CA 20 E3 A1 12 E1 6B 86 }
        $rsa_key = { CD 74 15 BC 47 7E 0A 5E E4 35 22 A5 97 0C 65 BE E0 33 22 F2 94 9D F5 40 97 3C 53 F9 E4 7E DD 67 CF 5F 0A
        5E F4 AD C9 CF 27 D3 E6 31 48 B8 00 32 1D BE 87 10 89 DA 8B 2F 21 B4 5D 0A CD 43 D7 B4 75 C9 19 FE CC 88 4A 7B E9 1D 8C
        11 56 A6 A7 21 D8 C6 82 94 C1 66 11 08 E6 99 2C 33 02 E2 3A 50 EA 58 D2 A7 36 EE 5A D6 8F 5D 5D D2 9E 04 24 4A CE 4C B6
        91 C0 7A C9 5C E7 5F 51 28 4C 72 E1 60 AB 76 73 30 66 18 BE EC F3 99 5E 4B 4F 59 F5 56 AD 65 75 2B 8F 14 0C 0D 27 97 12
        71 6B 49 08 84 61 1D 03 BA A5 42 92 F9 13 33 57 D9 59 B3 E4 05 F9 12 23 08 B3 50 9A DA 6E 79 02 36 EE CE 6D F3 7F 8B C9
        BE 6A 7E BE 8F 85 B8 AA 82 C6 1E 14 C6 1A 28 29 59 C2 22 71 44 52 05 E5 E6 FE 58 80 6E D4 95 2D 57 CB 99 34 61 E9 E9 B3
        3D 90 DC 6C 26 5D 70 B4 78 F9 5E C9 7D 59 10 61 DF F7 E4 0C B3 }
    condition:
        uint16(0) == 0x5a4d and 2 of them
}
Download all Yara Rules