X-Ray and MRI healthcare machines attacked by Orangeworm Kwampirs Trojan

Orangeworm malware tries to hack servers of healthcare institutions

Orangeworm malware attacks healthcare institutions to access data

Symantec, a company providing security products and solutions to protect the business, identified a mysterious cyber worm called Orangeworm bundled with the Kwampirs backdoor Trojan[1] targeting hospitals worldwide. 40% of the Orangeworm Kwampirs Trojan victims are organizations operating within healthcare sector. The other sectors targeted by this worm are Manufacturing and Information Technology. It has been revealed that 17% of companies attacked are located in the USA, but there's a considerable number of victims in Europe, and Asia.

On April 27, 2018, the company posted an article[2] warning the entire healthcare community about the risk of worm attack and a possible data breach in case their systems have any unpatched vulnerabilities. As pointed out, the Orangeworm has been revealed two years ago, in 2015. At the time, it targeted institutions like pharmaceuticals, IT solution providers, as well as healthcare sector.

Currently, the Orangeworm hackers supplemented the malware and interconnected it with backdoor called Trojan.Kwampirs. Once transfused, it allows the attacker to access the system remotely and then expand on the entire network.

Sensitive Medical Information Targeted

Worms like Orangeworm are expected to target confidential information. In this case, authorities warn about a possible leak of case histories, prescriptions, address, name, telephone number, or another sensitive patients' information.

However, according to Symantec, it looks as if the Orangeworm malware is proceeding in a way to gather technical information of the system, network (adapter info, network shares), files, programs installed, drivers, and similar. As pointed by Alan Neville, the Symantec researcher,

[…]it's more likely the group are interested in learning how these devices operate. We have not collected any evidence to suggest the attackers have planned to perform any sabotage type activities at this time.

The way Orangeworm Kwampirs Trojan operates

It's not yet clear how the worm manages to infiltrate healthcare systems. Its ancestry hasn't been identified as well. That's why many cybersecurity researchers claim it to be one of the most mysterious worms[3] currently detected.

It has been found that the Orangeworm Kwampirs targets older Windows OS, Windows XP in particular, and can be adapted to OS types and characteristics that have specifically been developed for healthcare institutions.

Following the infiltration, the Orangeworm malware downloads a backdoor Trojan Kwampirs. Once deployed, the Trojan allows attackers to establish a connection with an infected server remotely and subsequently disperse within the entire network.

The Kvampirs Trojan drops the copy of its DLL payload file to the system, then writes it to the disk, and memory. Surprisingly, the virus does not try to steal personal information about the patients, doctors or employees. Symantec found out that it's interested in technical details. According to the company, the Kwampirs malware has been found on machines running high-tech imaging devices X-Ray machines and MRI scanners in particular.[4] The worm scans the system for the machines that are used by patients for completing various forms.

The actors behind and the motives are not yet clear

It's not yet clear who is or is responsible for the cyber attacks against healthcare industry. The infamous WannaCry has held the latest mainstream attack in 2017. The motive was straightforward – to collect ransom and get rich. Simple.

In this case, it's not yet clear what's the purpose of the Orangeworm. It might be that the virus does not have malicious intentions, except as to check how the X-Ray and MRI machines function, the performance of the servers used by healthcare institutions, and similar.

However, the fact that it's also interested in machines used by patients to fill in consent forms is rather alarming. It may be that crooks may try to counterfeit patient's agreement. Symantec and other security experts reject the version that the Trojan may be state-sponsored.[5] As the company claims:

We do not believe that the group bears any hallmarks of a state-sponsored actor—it is likely the work of an individual or a small group of individuals. There are currently no technical or operational indicators to ascertain the origin of the group.

Institutions have to ensure the protection by themselves

Healthcare and other targeted sectors should be cautious about the infection possibility and take care of their system's security. Symantec has already built-in protection against Orangeworm and Kwampirs Trojan, though other reputable security vendors should have improved their software as well.

Therefore, it's advisable to use Intelligence Services or WebFilter-enabled products as they can block any activity related to Orangeworm.

About the author
Alice Woods
Alice Woods - Likes to teach users about virus prevention

Alice Woods is the News Editor at 2-spyware. She has been sharing her knowledge and research data with 2spyware readers since 2014.

Contact Alice Woods
About the company Esolutions