A malicious campaign is targeting organizations from a broad range of industries with a piece of malware known as Kwampirs, the Federal Bureau of Investigation warns.
Initially detailed in 2018, the malware is a custom backdoor associated with a threat actor tracked as Orangeworm, which has been active since at least 2015, mainly targeting organizations in the healthcare sector, but also launching attacks on industries somewhat related to healthcare, including IT, manufacturing, and logistics.
Attacks involving the Kwampirs Remote Access Trojan (RAT), the FBI says, have been ongoing since 2016, targeting healthcare, software supply chain, energy, and engineering organizations in the United States, Europe, Asia, and the Middle East. Financial institutions and prominent law firms were also targeted.
According to the FBI's alert, while the backdoor does not include a wiper or destructive module components, there are code-based similarities with the data destruction malware Disttrack, which is better known as Shamoon.
The malware has been successfully employed in assaults on healthcare entities worldwide, including major transnational healthcare companies and local hospital organizations. In some cases, the infections spread across the enterprise networks, the FBI’s alert reads (PDF).
“The FBI assesses Kwampirs actors gained access to a large number of global hospitals through vendor software supply chain and hardware products. Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals,” the agency says.