Kwampirs malware is a backdoor Trojan that targets healthcare organizations and infects computers connected to medical equipment
Kwampirs malware is a backdoor that allows the threat actors to take over the machine and spread the malicious payload across network sahres
Kwampirs is malware with worm-like capabilities mainly used by a hacking group like Orangeworm to carry out corporate espionage attacks. According to security researchers from Symantec, who first detected and analyzed the Trojan back in January 2015, it is mainly used to attack organizations in healthcare sector in the USA, Asia, and Europe. Kwampirs malware was also used to attack other industries as a means to reach out to the main target – secondary targets include companies in IT, logistics, manufacturing, and other fields.
Kwampirs backdoor is a custom-made malware that performs required system modifications in order to gain persistence and remain undetected – essentially, it gives attackers complete control over the infected machine. After gathering enough information about the initial target, it then spreads laterally across an entire network, gathering more data in the process.
|Also known as||Trojan.Kwampirs|
|Associated groups||Orangeworm – a cybercriminal gang is operated by a small number of individuals and is unlikely to be government-sponsored|
|Targets||Healthcare organisations and its suppliers in the USA, Asia and Europe|
|Symptoms||No visual symptoms of the infection are usually present – only the presence of malicious files, processes, and services (WmiApSryEx – WMI Performance Adapter Extension) can serve as an indicator. The files are known to be copied to ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS folders|
|Removal||To get rid of Kwampirs Trojan, the infected machine should be scanned with the most up-to-date anti-malware software|
|System fix||To repair compromised system files, use ReimageIntego|
Kwampirs malware does not immediately deploy its main payload, but rather first analyzes the initial machine – the attackers first ensure that the target is worth infecting. The initial check includes gathering data about a network adapter, system version, and language settings – if the target is indeed what malicious actors were looking for, they proceed with further actions.
Before spreading laterally via the network, Kwampirs malware decrypts its main payload and inserts a random string into it before writing information on disk in order to avoid anti-malware software detection that works based on hash readings. This behavior is typical of polymorphic type of cyber infections. Finally, Kwampirs virus copies its main payload across network shares, infecting other machines in the process.
Kwampirs malware performs various system changes:
- Creates a new service – WmiApSryEx with display name WMI Performance Adapter Extension;
- Copies various malicious files into ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS folders;
- Downlaods additional files from Command & Control server;
- Uses rundll32.exe to modify Registry as one of the persistence mechanisms, etc.
Kwampirs is malicious software that is utilized by cybercriminal group Orangeworm to steal corporate information from a machine connected to medical equipment
Symantec researchers said that the Kwampirs virus was found on computers that are connected to high-end medical equipment, such as MRI and X-Ray, as well as machines that were used to process patient forms required for the upcoming medical procedures. Nevertheless, it turns out that the attackers are not interested in stealing credentials or stealing sensitive patient data, but rather in machines themselves.
As it turned out, Kwampirs Trojan copied images, collected lists of files, manufacturer details, processor type, hostname, list of connections, running processes, and other specific information. Nevertheless, experts noted that it is possible that new modules might be introduced if threat actors would desire so.
Carefully selected victims
According to experts' findings, 39% of the infected hosts were coming from the healthcare industry, manufacturing – 15 %, IT – 15%, logistics 8%, agriculture – 8%, while the remaining 15% of victims were unidentified.
Researchers found that main targets of Kwampirs malware mainly originated from the US:
The biggest number of Orangeworm’s victims are located in the U.S., accounting for 17 percent of the infection rate by region. While Orangeworm has impacted only a small set of victims in 2016 and 2017 according to Symantec telemetry, we have seen infections in multiple countries due to the nature of the victims operating large international corporations.
Kwampirs Trojan is mostly prevalent among outdated systems like Windows XP, which are still widespread among various industries. In most cases, this is due to professional equipment dependency on old operating system platforms. Nevertheless, most of the old systems can still be protected with advanced anti-malware solutions.
Those infected should immediately scan the affected equipment with anti-malware software to remove Kwampirs malware and its all malicious files. For the operating system repair purposes, ReimageIntego can be used.
Kwampirs is a custom Trojan that is used by malicious actors to attack companies and organizations in USA, Asia, and Europe
Malware distributed via targeted attacks
Because Kwampirs is malware that attacks corporate targets, it uses targeted attack vectors to infiltrate computers of interest worldwide. In most cases, such attacks are performed via targeted phishing email attachments/hyperlinks, inadequately protected Remote Desktop connections, or exploits. As mentioned above, malware mainly targets old operating systems like Windows XP – these systems are generally flawed and risky to use.
To mitigate and prevent malware attacks, the following must be taken as a precautionary measure:
- Invest in comprehensive security software that can block most of the malware attacks;
- Enable Firefox to prevent unsolicited network intrusions;
- Apply the latest security patches to all your software as well as the operating system;
- Use complex passwords that consist of alphanumeric characters or employ a password manager;
- Configure email server in a way that all the emails with attachments would be automatically blocked;
- Protect your Remote Desktop connections properly (for example, never use a default RDP port);
- Turn off file sharing if not required for a prolonged period;
- Restrict user access to the internet – prevent from downloading files;
- Disable autoplay function to prevent executables from being launched immediately after download.
The only way to remove Kwampirs malware is by performing a full system scan with anti-virus software
Kwampirs malware is a worm, so it propagates by itself. Therefore, if you had any networked connections, it is highly likely that most or all of the connected machines got infected as well. To successfully remove Kwampirs malware, you need to isolate all the infected computers (disconnect from the network), block all the ports, and perform a full system scan with the most up-to-date anti-malware software in Safe Mode. Note, you should also disable System Restore and then restart the infected machine in order to remove the possibility of the infected files coming back.
Finally, after Kwampirs malware removal, you should change all passwords for every single machine, and only then re-establish a network connection. Note, you should also report the malware attack to the appropriate law enforcement agencies.
To remove Kwampirs malware, follow these steps:
Remove Kwampirs malware using Safe Mode with Networking
Access Safe Mode as per instructions below:
Step 1: Reboot your computer to Safe Mode with Networking
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
Step 2: Remove Kwampirs malware
Log in to your infected account and start the browser. Download ReimageIntego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Kwampirs malware removal.
If your ransomware is blocking Safe Mode with Networking, try further method.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Kwampirs malware and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes
Access your website securely from any location
When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.
If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.
Recover files after data-affecting malware attacks
While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.
Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection.