Most of the victims are located in the United States (17%), followed by Saudi Arabia and India, anyway Orangeworm hit organization in many countries including Philippines, Hungary, United Kingdom, Turkey, Germany, Poland, Hong Kong, Sweden, Canada, France.
Orangeworm targeted a small number of victims in 2016 and 2017, but infections most affected large international corporations in several countries.
The hackers use a custom backdoor tracked as Trojan.Kwampirs to remotely control infected machine on the compromised network.
Initially, the backdoor is used as a reconnaissance tool, if compromised machine contains data of interest the backdoor “aggressively” spread among other systems with open network shares.
“The backdoor also collects some rudimentary information about the compromised computer including some basic network adapter information, system version information, and language settings.” continues the analysis.
“Orangeworm likely uses this information to determine whether the system is used by a researcher or if the victim is a high-value target. Once Orangeworm determines that a potential victim is of interest, it proceeds to aggressively copy the backdoor across open network shares to infect other computers. “
The experts observed attackers run a wide range of commands within the compromised systems:
The Kwampirs backdoor was discovered by Symantec on machines hosting software used for high-tech imaging devices, such as MRI and X-Ray machines. It was also discovered on devices used to assist patients in completing consent forms.
Experts highlighted that the methods used by Kwampirs to propagate over the target network are particularly “noisy,” this suggests Orangeworm is not overly concerned with being discovered.
At the time of the report, the experts still haven’t determined the real motivation of the attackers or their origin, but even if they are conducting cyber espionage there is no evidence that the operation is backed by a nation-state actor.
Experts noted that the actors behind Orangeworm do not appear to be concerned about their activities being detected.
“While Orangeworm is known to have been active for at least several years, we do not believe that the group bears any hallmarks of a state-sponsored actor—it is likely the work of an individual or a small group of individuals. There are currently no technical or operational indicators to ascertain the origin of the group.” concluded Symantec.
Further information, including Indicators of Compromise, are included in the report.
(Security Affairs – Orangeworm hackers, cybercrime)