Kwampirs malware: what it is, how it works and how to prevent it | Malware spotlight

Introduction

Supply chain compromise has become more of a concern as of late, with the appearance of COVID-19 affecting many industries — especially healthcare. Attack groups are taking advantage of this vulnerability of modern society by targeting the supply chain of ICS firms, healthcare, IT and other critical infrastructure industries. 

One such malware, known as Kwampirs, has been observed using supply chain compromise during this time of crisis. Kwampirs has been taken so seriously by the FBI that they have issued multiple alerts warning impacted industries of its risk. This article will detail Kwampirs and explore what it is, how it works and how to prevent Kwampirs from impacting your organization.

What is Kwampirs?

First discovered in 2016, Kwampirs is a Remote Access Trojan, or RAT, that targets supply chain companies that supply an array of critical infrastructure industries — from healthcare, energy and IT companies to firms that run ICS. Also known as Orangeworm (both the malware itself and its attack group), this modular advanced persistent threat is used to gain entry to victims’ networks for the purpose of accessing supply chain companies. It should be noted that financial firms and leading law firms have been reported as being secondary targets for this RAT.

In January, February and March 2020, the Federal Bureau of Investigation issued alerts warning the private sector of supply chain cyberattacks. While no specific companies or firms were mentioned by name, the FBI has made it clear that hackers have been using Kwampirs to gain access to the vendors, partners and customers of these critical industries. These FBI alerts suggest that attack groups are starting to focus more on organizations that work with energy transmission and distribution.

Of the many findings these alerts projected, the FBI released the Indicators of compromise (IOC) and YARA (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/BIt4ei88AtE/