How to Defend Your Network Against the Kwampirs Malware

by Rob Hulsebos on April 13, 2020

The Kwampirs malware is a “RAT”, or remote access Trojan, that has recently seen a spike in usage, particularly within the healthcare sector, although it has targeted a broad range of industries globally, including software, pharmaceutical, energy and financial organizations. Kwampirs has been highly effective at targeting healthcare organizations, with malicious actors managing to locally infect machines and gain broad, sustained access to enterprise networks in major transnational healthcare companies and local hospitals. Given the heavy dependence on the healthcare system during the current COVID-19 crisis, it’s critically important that cybersecurity teams take defensive measures now to prevent potential network disruption.

Analysis of the Kwampirs Malware

Based on an analysis of the code, Kwampirs has numerous similarities with the older data destruction malware “Disttrack”, also known as “Shamoon”. According to an investigation by Symantec, the attackers choose their targets carefully. The main purpose of the Kwampirs malware is corporate espionage. It has been seen infiltrating software vendors, and using them as a mechanism to spread itself further. Likely, Kwampirs may enter your company via a software update from a trusted vendor. It is not known to wipe hard disks, exfiltrate data or ransom systems, but this behavior may change in the future.

Once Kwampirs has infiltrated on a (Windows) system, it tries to determine whether the system belongs to a desired target. If so, it will copy itself via network shares to other systems. Kwampirs inflicts no damage, but after penetrating a target system it will contact an external server to download additional payloads at the attacker’s choosing. Because of its low profile, Kwampirs has been known to remain undetected for a long time.

Recommendations for Defending Against Kwampirs

Sponsorships Available

On March 25^th, the FBI released a flash-message CP-0001118-MW with additional information about this threat, also known as OrangeWorm. They also issued a second “Private Industry Notification” on March 30^ththat provides more in-depth information about the Kwampirs operations, which recommends taking the following actions after detection of an infection:

“If a Kwampirs RAT infection is detected, contact your IT mitigation and remediation company and coordinate your mitigation efforts with your local FBI field office. The following information would assist the FBI’s investigation of this malware:

Full capture of network traffic in PCAP format from the infected host(s) (48-hour capture).
Full image and memory capture of infected host(s).
Web proxy logs capture, to include cache of the Web proxy.
DNS and firewall logs.
Identification and description of host(s) communicating with the C2 (ex: server, workstation, other).
Identification of patient zero and attack vector(s), if able.”

How Our Customers Are Protected

The FBI also published a set of Yara rules that can be used to detect file transfers containing the Kwampirs malware. These Yara rules can be imported into Forescout SilentDefense through one of our deployable security updates. Note that this is:

An update that can be downloaded and installed without waiting for a new release.
Already available to select customers and part of our threat update service.

Once installed, the Yara rules will trigger an alert when a file transfer’s contents match one (or more) of the signatures in the Yara rules. SilentDefense can also help implement several of the recommendations from the FBI above to identify malicious activities and speed up incident response.

The behavioral analysis engines automatically create an inventory of network assets and cross-network flows, provide PCAPs for anomalous behavior that is detected, and identify existing and emerging security threats in the network. The network map can identify the source and spread of a threat and would also show if the malware attempts to connect to the Internet and contact a C&C server.

Customers with the complete Forescout platform have an added layer of defense against this malware from plug-and-play integration with vulnerability scanners, the ability to quarantine endpoints with vulnerabilities and automated incident response capabilities. They can also proactively work on segmentation policies and validate expected outcomes.

These features, plus the dedicated Yara rules package, make the Forescout platform an ideal solution to help security practitioners defend their network against the Kwampirs malware. To learn more about how Forescout customers are protected against this and other cyberthreats, check out our threat detection video series here.