Kwampirs RAT

The Kwampirs threat is a RAT (Remote Access Trojan) that has been around for more than two years but has somehow succeeded in remaining under the radar of cybersecurity researchers and anti-malware solutions. This particular threat is mainly used for targeting companies and organizations in several industries – manufacturing, software development, healthcare and automotive.

New malware may emerge each day, but so do new defenses against malware. ReversingLabs has analyzed information from attacks related to the Kwampirs RAT (Remote Access Trojan) to come up with new ways for software companies to defend themselves.

ReversingLabs published an analysis that urged organizations to ensure suppliers aren't compromised, and their software development environments are protected.

The security firm found small traces of attacks and used them to put together the infrastructure used by the attacks, which are the work of the Orangeworm hacking group. Symantec discovered the group behind the attacks in 2018. Symantec also found that the virus had appeared in hospital equipment, such as MRI machines.

The FBI issued a warning recently that Kwampirs was being deployed against targets in the Industrial Controls Systems sector, in particular the energy sector.

The FBI sent out a private industry notification stating:

"Software supply chain companies are believed to be targeted in order to gain access to the victim's strategic partners and/or customers, including entities supporting Industrial Control Systems for global energy generation, transmission, and distribution."

As well as attacks on the supply chain, the FBI warned the malware was also used to attack the energy, financial, and healthcare companies.

According to ReversingLabs, the configuration of the malware is the most important thing to understand. The malware acts as a Remote Access Trojan that allows hackers to access and use an infected system remotely.

The security firm started with publicly available information about the virus and matched it against samples collected by the Titanium Platform. Their research into the virus uncovered the following information.

How Does Kwampirs Attack Computers?

ReversingLabs took data samples from attacks to put together a configuration parser to extract the network configuration of the samples. Every sample collected by ReversingLabs had 200 control server URLs attached to it. Attacks of this nature are usually carried out using campaigns with the same set of control servers.

The firm was looking for command-and-control (C2) URLs in particular. The C2 URLs are important because of how Kwampirs connects to them. Each sample of the virus included 200 URLs that the virus would try to access in sequential order. C2 locations are listed as either an IP address or domain name. Kwampirs will work through the list until it finds an active URL to connect to the C2 server.

Given that the malware configuration is stored inside the installer that drops the DLL file onto the infected computer, the parser requires an unpacker to crack the DLL. The installer extracts the DLL from the installer and allows the parser to collect information about the C2 servers.

ReversingLabs used these methods to find 1,586 URLs. An analysis of the URLs showed that some droppers would use the same payload even though they had different hashes. The files had just one difference; a 64-byte string used to create random file names. ReversingLabs believe that the discovery shows the latest dropper samples spotted in the cloud have been put together more recently despite using the old DLL payloads.

Understanding the Design of Kwampirs

ReversingLabs moved their analysis to the next stage, which was to group the samples into campaigns and understand how Kwampirs attacks are conducted. Malware generally attacks in waves with an identical control server structure for each stage of the attack. The security grouped the different data files using the rich header information and file compilation timestamp for the samples.

The rich header metadata includes information about when the samples were compiled and linked. The header, in this case, showed the samples were all compiled using Visual Studio 2010. The timestamps didn't correlate with the first known appearance of the virus – May 2015. It looked like the samples had been compiled years before being sent to the cloud. If they were compiled that much earlier, there's a good chance the samples were compiled using a virtual machine to create fake timestamps.

A more detailed analysis of the campaigns showed the same control domains connected them.

How to Defend Against Kwampirs

ReversingLabs used the information from their analysis to create a full list of potential Indicators of Compromise (IOC). Companies should look over the indicators to establish better firewall blocking measures and intrusion detection rules for antivirus programs. Companies should also search through their SIEM logs to find infected endpoints the virus may have used.

Kwampris is known to replicate itself by copying versions of itself over network shares on infected computers. This kind of propagation tactic works effectively in an environment with older operating systems, such as the healthcare industry. One way to defend against Kwampirs would be to update computers to the latest OS or, at the very least, a more recent one.


Most Viewed