Orangeworm: Attack group targeting Healthcare Industry
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Orangeworm: Attack group targeting Healthcare Industry

A Symantec report identifies a new attack group dubbed “Orangeworm”

Orangeworm, a new attack group identified in a report by Symantec, has been observed installing custom backdoors within large international organizations operating in the healthcare sector across the US, Europe and Asia.

Currently, the researchers at Symantec and elsewhere are unsure of Orangeworm’s motives, though Symantec believes that the group is conducting corporate espionage “for commercial purposes” and is likely not backed by a state actor.

Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage.

Who is Orangeworm targeting?

Per Symantec’s report, 39% of the attacks had been perpetrated directly against the healthcare industry, while attacks that seemed to be aimed at other industries tended towards companies with heavy ties to healthcare, such as medical device manufacturers, tech companies that provide client services and the logistic firms behind delivering healthcare products.

Chart courtesy of Symantec

We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare. Orangeworm’s secondary targets include Manufacturing, Information Technology, Agriculture, and Logistics. While these industries may appear to be unrelated, we found them to have multiple links to healthcare…

As far as geographic distribution, the information is a little bit less useful. While the US accounts for 17 percent of infections, the multinational nature of the targeted companies has turned up infections in numerous countries. This would lend itself to the perception that Orangeworm is exceptionally prolific when in fact, the group has only impacted a “small set of victims in 2016 and 2017 according to Symantec telemetry.”

Chart courtesy of Symantec

Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking. Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack.

How does Orangeworm attack?

Before Orangeworm can do anything, it has to infiltrate its target’s network. That can be done several different ways, and for the sake of this article is less important than what comes after the network is compromised.

Once it’s in Orangeworm deploys its custom backdoor, called Trojan.Kwampirs, to provide remote access to the compromised machine.

The Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures.

When it’s executed, Kwampirs extracts and decrypts a copy of its DLL payload directly from its resources section.

Upon execution, Kwampirs creates the following files:

  • %Windir%\inf\mtmndkb32.PNF
  • %Windir%\inf\digirps.PNF
  • %Windir%\inf\mkdiawb3.PNF
  • %Windir%\inf\ie11.PNF
  • %Temp%\[FILE NAME].tmp
  • %Windir%\System32\[.DLL FILE NAME]

On that last item, [.DLL FILE NAME] is a placeholder for the name of the DLL payload, it will be one of the following:

  • wmiamgmt.dll
  • wmiassn.dll
  • wmipadp.dll
  • wmiadrv.dll
  • wmipdpa.dll

Then, before writing the payload to the disk, Orangeworm tosses in a randomly generated string into the middle of it in an attempt to bypass hash-based detection. In addition, Kwampirs ensures persistence by creating a service that ensures that its payload is always loaded into the memory when the system reboots. You can see the configuration below:

Courtesy of Symantec

Kwampirs also collects information about the compromised system, including basic network adapter information, system version, language settings, etc.

Orangeworm likely uses this information to determine whether the system is used by a researcher or if the victim is a high-value target. Once Orangeworm determines that a potential victim is of interest, it proceeds to aggressively copy the backdoor across open network shares to infect other computers.

In addition, Kwampirs may get copied into the following hidden file shares:

  • ADMIN$

Finally, Orangeworm gathers as much data as it can regarding the victim’s network, particularly information related to recently accessed computers, network adapter information, network shares, mapped drives, and any files that may be present on the compromised computer or machine.

Symantec has observed Orangeworm executing the following attacks within its victims’ compromised environments.

Courtesy of Symantec

Orangeworm isn’t exactly hiding this…

One of the most notable things about Orangeworm and its Kwampirs backdoor is that, since the discovery of Kwampirs, very little has changed as far as its internals are concerned. In fact, Orangeworm’s methods are actually what researchers consider “noisy.”

This can almost entirely be chalked up to ineffectual security and response from the Healthcare industry, which recently ranked 15 out of 18 among other US industries in terms of cyber security preparedness.

For starters, the way Kwampirs propogates itself by copying itself over network shares is actually fairly dated. In fact, it’s really only viable in environments that run old (read: outmoded) operating systems like Windows XP. Incidentally huge swaths of the healthcare industry still run legacy devices that operate on XP. These devices are oftentimes egregiously insecure.

Beyond that, Kwampirs cycles through a long list of C&C (Command and Control) servers embedded within it. Not all of the servers are still active, which means the infected device will continue to “beacon” until it can successfully connect with one of the C&C servers. Orangeworm has never bothered to change this communication protocol since Kwampirs was discovered, which likely means it’s working just fine as is. After all, why fix what’s not broken.

So far Orangeworm has operated with a degree of impunity and by all indications it’s not going to change a thing until it has to.

How can I protect my network against Orangeworm?

Fortunately, if you’re keeping your security implementations up to date you should be in a good position. Symantec was quick to point out that its customers are already covered:

Customers with Intelligence Services or WebFilter-enabled products are protected against activity associated with the Orangeworm group. These products include:

  • Web Security Service (WSS)
  • ProxySG
  • Advanced Secure Gateway (ASG)
  • Security Analytics
  • Content Analysis
  • Malware Analysis
  • SSL Visibility
  • PacketShaper

Additionally, other top cybersecurity companies have made requisite updates to their own programs and platforms. Remember, part of what makes the healthcare industry so easy to victimize is that part of its digital infrastructure is outmoded owing to costs associated with replacing technology regularly on such a massive scale. It’s understandable, though given the current fervor over digital privacy—no longer excusable.

So, if you’ve invested in solid cybersecurity, you should be fine. But just in case you were looking for some actionable advice, here are some best practices for keeping attackers out of your network in the first place.

  • Use a firewall to block all incoming connections to services that are not public.
  • Be judicious with the privileges you grant to programs and apps, only give what’s necessary to complete the requisite task.
  • Disable autoplay, this will prevent executables from launching automatically.
  • Turn off file-sharing unless it’s needed; disable anonymous access to shared folders.
  • Remove any app or service that isn’t mission critical, the auxillary services that come pre-installed with your OS can be used as avenues of attack.
  • If you receive notice of a threat that can exploit one of your network services, disable or block access to that service until it’s patched.
  • Maintain an adequate patching cadence, meaning: stay on top of your security updates.
  • Configure your email servers to block commonly-infected file types (.vbs, .bat, .exe, .pif, .scr, etc.).
  • If you suspect a computer or machine has been compromised, isolate it from the network immediately and do not reconnect until it has been investigated and restored.
  • Train your employees regularly, specifically cover good email security—including never to open unexpected attachments. Remember, your employees are one of the biggest threats to your cybersecurity.
  • Finally, be careful using Bluetooth. Disable it unless needed, do not make your devices discoverable and set your systems to reauthenticate upon every connection.

Finally, if you think you have been infected, Symantec has published a list of indicators of compromise of Orangeworm that can be found just below.

Orangeworm IOCs


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.