FBI Issues Warning for a Trojan Virus Targeting Healthcare Suppliers

Posted by Geraldine Hunt on Fri, Apr 17th, 2020

A national or global crisis brings opportunities for people to band together and do great things. Unfortunately, the sad truth is that it also creates opportunities for nefarious motives as well.  The best and the worst of human behavior is on display.  While the healthcare industry is engulfed in a war with a deadly virus, healthcare companies unknowingly have a target on their back.  According to the FBI, hackers have been actively targeting healthcare companies and anyone attempting to purchase COVID-19 related medical supplies via a variety of attack mechanisms.

FBI Issues Series of Warning Regarding Kwampirs

If you work for a company in the healthcare industry, you might smell a rat, not the varmint kind, but a digital Remote Access Trojan (RAT).  This RAT strain is called Kwampirs and belongs to a known hacking group called OrangeWorm.  It is but one of the malware mechanisms being used to infiltrate transnational healthcare companies and local hospitals.  While other industries such as software, pharmaceutical, energy, engineering imaging, financial as well as prominent law firms are active as well, attacks on the healthcare industry are the most pertinent right now as the world cannot afford a disruption to their operations.  The FBI reported that the hacking group has already conducted effective attacks on hospitals and healthcare systems, thus gaining access to their networks.

The FBI released a Private Industry Notification warning that Kwampirs malware is being used in supply chain cyberattacks with the eventual goal being select industries including healthcare.  It is the third such alert this year concerning this particular type of attack.  Symantec first began reporting on Kwampirs a year ago.  The RAT has been associated with attacks not only within the U.S., but Europe, Asia and the Middle East.  OrangeWorm has been in existence since 2015. 

A Breakdown of the Kwampirs RAT

The attack strategy behind Kwampirs is to target supply chain vendors such as software companies that service a particular industry.  One such example is vendors that provide software based industrial control system assets in hospitals.  The malware may enter its eventual target through a software update from a trusted vendor.  One distinguishing feature of Kwampirs is its modular structure.  The malware infects Windows machines, upon which the malware will then determine whether the system belongs to a desired target.

Once a network target is infiltrated, the malware will then load appropriate modules based on its host environment.  It can then be used by its master to launch additional payloads based on the objectives of the attack.  The malware seeks out “data of interest” and spreads itself to other systems by propagating through open network shares, hidden admin shares or the SMB protocol.  Attackers then begin investigating ways to infect customers of the infected network.  Kwampirs indeed takes advantage of our digitally connected world.

Spying and Espionage

Unlike more prevalent malware types such as ransomware, Kwampirs is a silent infiltrator as it does not harm or modify any discovered data.  While its financial motivations are unclear, its primary purpose is corporate espionage.  OrangeWorm is not after a quick “hit and run” type of attack.  The attack perpetrators are in it for the long haul as an observer until the time is right.  As a result, the malware is designed to not draw attention to itself, but reside quietly within a network, communicating with its masters on a daily basis.  When necessary, it can enable follow-on computer exploitation activities.  It is not unusual for Kwampirs to reside on a network for several years.  In fact, one of the ways that it spreads is through mergers and acquisitions (this is one of the reasons why a security audit is so critical before M&A activities).

Ways to Combat Kwampirs

Despite it silent non-disturbing nature, there are a few subtle footprints that you can identify.  You should check for any new services or processes that suddenly make an appearance throughout your network.  Also look for new files that suddenly appear within system folders or shares.  As of now, there is no naming pattern that has been identified regarding files or services so there is no easy way to identify them other than good old investigating. 

Antivirus software is able to detect and block past versions of Kwampirs, but it should not be relied on as an exclusive remedy.  The best defense is a defense in depth or multilayer strategy that incorporates a number of cybersecurity tools to secure the enterprise at large from this and other types of attacks.  This includes a Next Generation Firewall, an email security system and internet filtering solution. 

Cloud based solutions are a preferred way to secure your on premise assets as well as your workforce, now working remotely as a result of the COVID-19 crisis.  Our SpamTitan email solution as well as our WebTitan content filtering solution are ideally suited for the challenges of today. 

How TitanHQ Can Help

Several security awareness training firms have made resources available to businesses free of charge during the COVID-19 crisis to help them train the workforce, such as the SANS Institute. Take advantage of these resources and push them out to your workforce. If you are a small SMB, you may also be able to get access to free phishing simulation emails to test the workforce and reinforce training.

TitanHQ can’t help you with your cybersecurity awareness training but we can help by ensuring employees have to deal with fewer threats by protecting against email and web-based attacks. For more information on protecting your business during the COVID-19 crisis, to arrange a product demonstration of SpamTitan email security and/or WebTitan web security, and to register for a free trial of either solution to allow you to start instantly protecting against email and web-based threats, contact TitanHQ today!