Kwampirs RAT Description
The Kwampirs threat is a RAT (Remote Access Trojan) that has been around for more than two years but has somehow succeeded in remaining under the radar of cybersecurity researchers and anti-malware solutions. This particular threat is mainly used for targeting companies and organizations in several industries – manufacturing, software development, healthcare and automotive.
As we mentioned, the Kwampirs RAT operates very silently. One of the reasons why the Kwampirs Trojan managed to remain undetected for over two years is that its operators do not rely on phishing emails to propagate this threat. The Kwampirs RAT is being distributed in a much more complex manner. The creators of the Kwampirs Trojan plant the harmful payload of the threat in legitimate copies of applications. This is achieved by compromising the network of the software's vendor. This is named a supply chain attack. This leads experts to believe that the developers of the Kwampirs RAT are highly experienced cybercriminals with a great experience in the field.
It is likely that the goal of the attackers is to obtain sensitive information and various important documents. In the case of healthcare institutions that were hit by the Kwampirs RAT, the threat was located on systems that were storing information regarding the patients. The Kwampirs Trojan also was present on medical equipment such as X-Rays and MRI machines. Upon infecting a system, the Kwampirs RAT will connect to the C&C (Command & Control) server of the attackers. This is how the threat would receive commands from its operators. It is likely that the Kwampirs Trojan does not possess many features, as high-end RATs often have limited capabilities. The reason behind this is that the fewer features a threat has, the less likely it is to remain undetected for longer periods. The capabilities of the Kwampirs RAT include:
- Collecting information regarding the system and network configurations.
- Modifying files present on the system.
- Collecting files from the system.
- This allows the cyber crooks behind the Kwampirs Trojan to cause significant damage to their targets.
An interesting feature of the Kwampirs RAT is that it has a list of 200 IP addresses and domain names to which the threat will attempt to connect. The Kwampirs RAT uses whichever one it connects to first as a C&C server. According to malware researchers, there are over 1500 IP addresses and domains affiliated with different copies of the Kwampirs Trojan.
Companies and organizations need to take their cybersecurity seriously as cybercriminals are always looking for ways to exploit them. Make sure your machine is protected by a reputable anti-malware utility and do not forget to update it regularly.