sb-eu logo
Story image

Orangeworm threat group targeting Asia & EU healthcare sector firms

24 Apr 2018

A group dubbed ‘Orangeworm’ is targeting healthcare and related industries across Asia, the United States, and Europe as part of what looks to be a carefully targeted attack process with significant planning behind the scenes.

Researchers from Symantec say that the group has been deploying Trojan.Krampirs, a custom backdoor that gives attackers remote access to compromised computers on the network.

The Trojan then collects information about the infected network, including information about recently accessed computers, files, mapped drives, available network shares, and network adapter information.

Symantec researchers say that the Orangeworm group’s known victims include healthcare providers, pharmaceutical firms, healthcare IT providers and healthcare equipment manufacturers. 39% of the Trojan’s targets operate within the healthcare industry.

While most targets have been based in the United States (17%), 7% were based in India; 5% in the Philippines, and 2% respectively across China, Hong Kong, and Malaysia. A number of other targets are located in Europe.

“The Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures. The exact motives of the group are unclear,” Symantec says.

Researchers found that the Trojan is able to spread aggressively through a network by copying itself over network shares. This method is old but works well on older operating systems such as Windows XP – a good match for the healthcare industry because it often operates using older systems.

Symantec notes that the Trojan also reaches out to a long list of command and control servers.

That action, in combination with the network sharing that only makes small modifications to the Trojan itself, indicates that the Orangeworm group ‘is not overly concerned with being discovered’, Symantec says.

Although the group has been known to be active for several years, there’s no evidence to suggest it is a state-sponsored actor, but rather the work of one person or a small group of people.

“There are currently no technical or operational indicators to ascertain the origin of the group,” Symantec notes.

“The fact that little has changed with the internals of Kwampirs since its first discovery may also indicate that previous mitigation methods against the malware have been unsuccessful, and that the attackers have been able to reach their intended targets despite defenders being aware of their presence within their network,” Symantec concludes.

Story image
Shlayer malware proves Apple devices aren't as secure as you think
"Apple never talks about malware publicly, and loves to give the impression that its systems are secure. Unfortunately, the opposite has been proven to be the case with great regularity."More
Story image
BT Security shakes up roster of vendors after 'largest ever' partner review
BT says the decision to review their security partner base was driven by the recognition that many customers find it difficult to navigate today’s complex security landscape, as well as customers’ desire to have a ‘leaner set of partners’.More
Story image
California's CCPA now enforced worldwide
“The expansive reach of the CCPA and scope of data it covers can make compliance feel daunting to many,” comments ISACA Privacy Group member David Bowden.More
Story image
Proofpoint launches new SMB focused security awareness training
Proofpoint has launched security awareness training for small to medium businesses (SMBs) with the aim of reducing successful phishing attacks and malware infections to almost zero. More
Story image
Misinformation on the rise, organisations consider how best to respond
The increase in misinformation and fake domains have left organisations perceiving the threat level to be ‘very significant’, with a third planning greater emphasis on their ability to respond in coming months.More
Story image
Research: 61% of companies have suffered an insider attack in last 12 months
It comes as rapid migration to cloud and remote working and BYOD scenarios leave organisations increasingly vulnerable to insider attacks as a result of the upheaval caused by the COVID-19 pandemic.More