Kwampirs
Kwampirs is a custom backdoor/Trojan associated with the Orangeworm threat group. In May 2018, Orangeworm was implicated in deploying Trojan.Kwampirs within large international healthcare corporations in the United States, Europe, and Asia. Reported targeting also included pharmaceuticals and healthcare IT solution providers, and infections spread within victim networks to systems used to control medical devices including MRI and X-ray machines.
Based on the provided content, Kwampirs provides remote access to infected systems. It decrypts and extracts a copy of its main DLL payload from its resources when executing, and inserts a randomly generated string into the decrypted payload before writing it to disk to help evade hash-based detection. For persistence, it uses rundll32.exe in a Registry value. For lateral movement, it copies itself over network shares.
Observed discovery and reconnaissance behavior includes collecting available servers with net view and net view ., network shares with net share, accounts with net users, domain groups with net localgroup /domain, registered owner details with systeminfo and net config workstation, running services with tasklist /svc and tasklist /v, active and listening connections with netstat -nao, available network mappings with net use, and network adapter/interface information with ipconfig /all, arp -a, route print, getmac, and net config workstation.
High-confidence indicators from the content are behavioral rather than static IOCs: use of rundll32.exe for Registry-based persistence; execution involving decryption and extraction of a DLL payload; reconnaissance commands including net view, net users, net share, tasklist /svc, tasklist /v, netstat -nao, net use, ipconfig /all, arp -a, route print, getmac, systeminfo, and net config workstation; and propagation via network shares.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In May of 2018, the attack group Orangeworm was implicated for installing a custom backdoor called Trojan.Kwampirs within large international healthcare corporations in the United States, Europe, and Asia.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueMultiple examples of using built-in commands for discovery, e.g., “ver >> %temp%\download” and “systeminfo >> %temp%\download”, and “cmd /c systeminfo …”.
Persistence
1 technique“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”
Privilege Escalation
1 technique“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”
Stealth
5 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Discovery
14 techniques"actors used the following command ... to obtain information about services: net start"; "APT1 used the commands net start and tasklist to get a listing of the services on the system"; "OilRig has used sc query on a victim to gather information about services"; "Indrik Spider has used the win32_service WMI class to retrieve a list of services"
The content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
During the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered systems over LAN connections. OT systems were visible from the IT network as well, giving adversaries the ability to discover operational assets.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
“3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory… admin@338 actors used… dir c:\ >> %temp%\download … APT28 has used Forfiles to locate PDF, Excel, and Word documents…”
“actors used the following commands… to enumerate user accounts: net user >> %temp%\download; net user /domain >> %temp%\download … APT1 used the commands net localgroup, net user, and net group to find accounts… APT32 enumerated administrative users using the commands net localgroup administrators … OilRig has run net user, net user /domain, net group "domain admins" /domain …”
"Babuk can enumerate disk volumes, get disk information"; "Ryuk has called GetLogicalDrives ... and GetDriveTypeW"; "Cuba can enumerate local drives, disk type, and disk free space"; "Chimera ... fsutil fsinfo drives"
Lateral Movement
1 techniqueCommand and Control
2 techniquesBITTER has used a RAR SFX dropper to deliver malware. CARROTBAT has the ability to download a base64 encoded payload. Emotet uses obfuscated URLs to download a ZIP file. Kwampirs downloads additional files that are base64-encoded and encrypted with another cipher.
Recent activity
26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom backdoor used by Orangeworm that provides remote access to target systems, decrypts and extracts its main DLL payload from its resource section, and inserts a randomly generated string into the decrypted payload before writing it to disk to evade hash-based detections.
A backdoor that enumerates available servers using net view.
Backdoor that enumerates local users and administrators via net localgroup commands.
Cycles through a large list of C2 servers until it successfully connects.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.