Kwampirs malware Removal Guide
What is Kwampirs malware?
Kwampirs malware is a backdoor Trojan that targets healthcare organizations and infects computers connected to medical equipment
Kwampirs malware is a backdoor that allows the threat actors to take over the machine and spread the malicious payload across network sahres
Kwampirs is malware with worm-like capabilities mainly used by a hacking group like Orangeworm to carry out corporate espionage attacks. According to security researchers from Symantec, who first detected and analyzed the Trojan back in January 2015, it is mainly used to attack organizations in healthcare sector in the USA, Asia, and Europe. Kwampirs malware was also used to attack other industries as a means to reach out to the main target – secondary targets include companies in IT, logistics, manufacturing, and other fields.
Kwampirs backdoor is a custom-made malware that performs required system modifications in order to gain persistence and remain undetected – essentially, it gives attackers complete control over the infected machine. After gathering enough information about the initial target, it then spreads laterally across an entire network, gathering more data in the process.
|Also known as||Trojan.Kwampirs|
|Associated groups||Orangeworm – a cybercriminal gang is operated by a small number of individuals and is unlikely to be government-sponsored|
|Targets||Healthcare organisations and its suppliers in the USA, Asia and Europe|
|Symptoms||No visual symptoms of the infection are usually present – only the presence of malicious files, processes, and services (WmiApSryEx – WMI Performance Adapter Extension) can serve as an indicator. The files are known to be copied to ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS folders|
|Removal||To get rid of Kwampirs Trojan, the infected machine should be scanned with the most up-to-date anti-malware software|
|System fix||To repair compromised system files, use ReimageIntego|
Kwampirs malware does not immediately deploy its main payload, but rather first analyzes the initial machine – the attackers first ensure that the target is worth infecting. The initial check includes gathering data about a network adapter, system version, and language settings – if the target is indeed what malicious actors were looking for, they proceed with further actions.
Before spreading laterally via the network, Kwampirs malware decrypts its main payload and inserts a random string into it before writing information on disk in order to avoid anti-malware software detection that works based on hash readings. This behavior is typical of polymorphic type of cyber infections. Finally, Kwampirs virus copies its main payload across network shares, infecting other machines in the process.
Kwampirs malware performs various system changes:
- Creates a new service – WmiApSryEx with display name WMI Performance Adapter Extension;
- Copies various malicious files into ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS folders;
- Downlaods additional files from Command & Control server;
- Uses rundll32.exe to modify Registry as one of the persistence mechanisms, etc.
Kwampirs is malicious software that is utilized by cybercriminal group Orangeworm to steal corporate information from a machine connected to medical equipment
Symantec researchers said that the Kwampirs virus was found on computers that are connected to high-end medical equipment, such as MRI and X-Ray, as well as machines that were used to process patient forms required for the upcoming medical procedures. Nevertheless, it turns out that the attackers are not interested in stealing credentials or stealing sensitive patient data, but rather in machines themselves.
As it turned out, Kwampirs Trojan copied images, collected lists of files, manufacturer details, processor type, hostname, list of connections, running processes, and other specific information. Nevertheless, experts noted that it is possible that new modules might be introduced if threat actors would desire so.
Carefully selected victims
According to experts' findings, 39% of the infected hosts were coming from the healthcare industry, manufacturing – 15 %, IT – 15%, logistics 8%, agriculture – 8%, while the remaining 15% of victims were unidentified.
Researchers found that main targets of Kwampirs malware mainly originated from the US:
The biggest number of Orangeworm’s victims are located in the U.S., accounting for 17 percent of the infection rate by region. While Orangeworm has impacted only a small set of victims in 2016 and 2017 according to Symantec telemetry, we have seen infections in multiple countries due to the nature of the victims operating large international corporations.
Kwampirs Trojan is mostly prevalent among outdated systems like Windows XP, which are still widespread among various industries. In most cases, this is due to professional equipment dependency on old operating system platforms. Nevertheless, most of the old systems can still be protected with advanced anti-malware solutions.
Those infected should immediately scan the affected equipment with anti-malware software to remove Kwampirs malware and its all malicious files. For the operating system repair purposes, ReimageIntego can be used.
Kwampirs is a custom Trojan that is used by malicious actors to attack companies and organizations in USA, Asia, and Europe
Malware distributed via targeted attacks
Because Kwampirs is malware that attacks corporate targets, it uses targeted attack vectors to infiltrate computers of interest worldwide. In most cases, such attacks are performed via targeted phishing email attachments/hyperlinks, inadequately protected Remote Desktop connections, or exploits. As mentioned above, malware mainly targets old operating systems like Windows XP – these systems are generally flawed and risky to use.
To mitigate and prevent malware attacks, the following must be taken as a precautionary measure:
- Invest in comprehensive security software that can block most of the malware attacks;
- Enable Firefox to prevent unsolicited network intrusions;
- Apply the latest security patches to all your software as well as the operating system;
- Use complex passwords that consist of alphanumeric characters or employ a password manager;
- Configure email server in a way that all the emails with attachments would be automatically blocked;
- Protect your Remote Desktop connections properly (for example, never use a default RDP port);
- Turn off file sharing if not required for a prolonged period;
- Restrict user access to the internet – prevent from downloading files;
- Disable autoplay function to prevent executables from being launched immediately after download.
The only way to remove Kwampirs malware is by performing a full system scan with anti-virus software
Kwampirs malware is a worm, so it propagates by itself. Therefore, if you had any networked connections, it is highly likely that most or all of the connected machines got infected as well. To successfully remove Kwampirs malware, you need to isolate all the infected computers (disconnect from the network), block all the ports, and perform a full system scan with the most up-to-date anti-malware software in Safe Mode. Note, you should also disable System Restore and then restart the infected machine in order to remove the possibility of the infected files coming back.
Finally, after Kwampirs malware removal, you should change all passwords for every single machine, and only then re-establish a network connection. Note, you should also report the malware attack to the appropriate law enforcement agencies.
Getting rid of Kwampirs malware. Follow these steps
Manual removal using Safe Mode
Access Safe Mode as per instructions below:
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Kwampirs malware and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting Kwampirs malware
Access your website securely from any location
When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.
If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.
Recover files after data-affecting malware attacks
While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.
Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection.