Science 4 min read

Protect Yourself From This Orangeworm Trojan, Kwampir

Is it a worm? Is it a trojan? Is it your garden variety malware? It's a kwampir which is kind of all of the above. The hacker group Orangeworm uses this self-replicating worm to harness information about medical imaging devices. But what can it do and how can you avoid becoming a victim?

A concept as old as history, the trojan horse virus has been a symbol of cyber espionage. | Telnov Oleksii | Shutterstock.com

A concept as old as history, the trojan horse virus has been a symbol of cyber espionage. | Telnov Oleksii | Shutterstock.com

This article explores the risks associated with medical system viruses and hacker group Orangeworm. It covers how this ‘Kwampir’ operates and who/what is most targeted. The article also details how to best protect yourself.

The most heinous hacker groups target major systems like power grids. They can wreak havoc with simple malware and medical imaging devices are the latest targets.

Cybercriminal group Orangeworm installs custom malware onto healthcare systems. They then execute targeted attacks against specific organizations. They can even target supply chains that serve those organizations.

What is a kwampir, how does it work, and how can we protect ourselves from its ravages?

Symantec

What Does This Cyber Worm do?

Think about getting x-rays or an MRI and the vulnerability you experience.

You might be wearing a hospital gown or strapped into something. Your head might literally be in a giant circle of magnets and gizmos.

One of the worst things that could happen is a criminal hacking group hijacks the device you’re attached to. Good news: Orangeworm targets x-rays and MRI machines over others.

Symantec researchers discovered the group now known as Orangeworm using “Kwampirs”. These custom malware trojans infiltrated international corporations in Europe, the U.S., and Asia.

As you can see above, almost 40% of the victims include the healthcare sector.

The malware also appeared in machines designed to help patients fill out things like consent forms. But the main focus was not information theft — Orangeworm wants to learn about devices.

Teiss.co.uk

Symantec Information on how it Operates

Though Orangeworm first appeared in 2015, the Trojan kwampirs malware seems new.

Since the worm operates in a reconnaissance manner, some suggest that the purpose is corporate espionage. This theory gains more traction when you examine Orangeworm’s victim list.

The U.S. hosts Orangeworm’s largest concentration of victims at 17% of all of those affected. Symantec theorizes that the information collected from these imaging devices can be used to determine the purpose of its use: research or for a high-value target.

The Kwampir trojans don’t just scoop information once. They ensure persistence using the devices own resources. Every time the system boots up, so does the Kwampir, collecting new information.

Symantec

This chart shows how Orangeworm injects the payload into the system memory on each reboot. You also might find copies of the trojan in these hidden file shares:

  • C$Windows
  • D$Windows
  • E$Windows
  • ADMIN$

From there, the trojan gathers information about the network and potential victims. The hacker group gains all kinds of information and insights from the trojan. You can see the full list on Symentac’s website, but here is a small preview:

  • List of currently running processes
  • List of local group accounts and users
  • A detailed configuration of the system, the OS, and owner details
  • List of any network mappings available

Again, this is not a comprehensive list, but just a preview. What’s worse is that Kwampirs are both aggressive and not overly sneaky.

This suggests that Orangeworm may not care about getting noticed.

Methodshop | Pixabay

How to Protect Yourself

The worm works better with older operating systems, so that’s one less thing to worry about. Symantec also assures its clients that they are protected on their website.

They list WebFilter-enabled or Intelligent Services products that provide protection. Think Advanced Secure Gateway (ASG), Web Sercurity Service (WSS), and SSL Visibility.

You can also find a downloadable PDF of compromise indicators on Symantec’s website.

How else could Kwampirs be used to compromise medical equipment?

Found this article interesting?

Let Juliet Childers know how much you appreciate this article by clicking the heart icon and by sharing this article on social media.


Profile Image

Juliet Childers

Content Specialist and EDGY OG with a (mostly) healthy obsession with video games. She covers Industry buzz including VR/AR, content marketing, cybersecurity, AI, and many more.

Comments (0)
Most Recent most recent
You
share Scroll to top

Link Copied Successfully

Sign in

Sign in to access your personalized homepage, follow authors and topics you love, and clap for stories that matter to you.

Sign in with Google Sign in with Facebook

By using our site you agree to our privacy policy.