The FBI issued an alert toward healthcare providers and other industries about the ongoing threat of the Kwampir malware on the supply chain.
Since as far back as 2016, the FBI was observing an advanced persistent threat that runs a campaign using Kwampirs, a Remote Access Trojan. The information combined with the FBI Liaison Alert System messages (FLASH) is intended to enhance the 'network defense posture public and private partners.'
The FBI sent similar alerts regarding Kwampirs in January and February 2020 with the latest reminding of the challenges of the COVID-19 pandemic. The Kwampirs RAT is a modular Trojan capable of gaining access to machines and networks. The primary purpose of the malware is gaining targeted access to companies, as well as following up on exploitation activities, according to the FBI.
Using forensic analysis and victimology, the FBI followed the trail of attacks and discovered they were aimed at the software supply chain, healthcare, engineering, and energy across the US, Europe, Asia, and the Middle East. Secondary chains of the attack were aimed at prominent law firms and financial institutions.
The Kwampirs RAT did not incorporate more destructive components or modules like a wiper, the agency mentioned. Using comparative forensic analysis, agents determined the campaign carried some similarities with the data-wiping malware Disttrack, also known as Shamoon.
Healthcare Sector is becoming targeted
The FBI's warnings noted the Kwampirs attacks were aimed at global healthcare entities, with targets ranging from major transnational healthcare providers to local hospital organizations. During the campaigns, the Kwampirs RAT was performing daily command-and-control communications with malicious domains.
The waging of the Kwampirs campaign meant access to many hospitals around the world through the vendor software supply chain and related hardware. Infected software supply chain vendors included the products used to manage industrial control systems in hospitals.
A persistent threat
The Kwampirs threat malware persists during the pandemic since the organizations are struggling with the increased cases of the COVID-19 outbreak. The need for the expansion of work from home makes for an entirely new and more risky situation.
Back in 2018, security company Symantec reported that large healthcare companies across the US, Europe, and Asia have been under attack by a Kwampirs backdoor that came from the group known as Orangeworm.
The two-phased attack
The FBI noted the Kwampirs malware used two phases of attack, with the first one establishing a broad and persistent presence on a targeted network. That includes the delivery and execution of secondary malware payloads. The second phase includes more Kwampirs components or malicious payloads that exploit the infected hosts.
The APT group was using Kwampirs and successfully sustained persistency on the affected networks for up to 3 years. It deployed a secondary module that performs more data collection.
FBI Security Recommendations
The FBI suggests several practices to bolster the security of organizations and businesses and to boost their defense. Blocking external access to administration panels and never using default login credentials is an absolute must. If organizations detect the presence of a Kwampirs RAT, the FBI recommends it takes measures to gather information through the help of investigation. The steps organizations include:
- Image and memory capture from infected hosts
- Network traffic in PCAP format from the infected hosts for 48 hours
- DNS and firewall logs
- Identification and description of any hosts communicating with Command-and-Control servers
- Identification of the point of infection and attack vectors