Orangeworm, a New Hacking Group Targeting Healthcare Industry
Security researchers at Symantec have discovered a hacker group that is attacking the healthcare industry. Dubbed Orangeworm, the group has been installing a backdoor called Trojan.Kwampirs on machines that are used to control medical equipment like X-Ray and MRI systems. In addition, Orangeworm also seems interested in machines that are used to help patients in filling consent forms for required procedures.
Trojan.Kwampirs creates backdoor remote access to the compromised system and starts collecting information about the computer. Symantec believes that Orangeworm probably uses this information to determine whether a researcher or a high-value target uses the system. If Orangworm finds that the victim is a person of interest, it moves in to infect other computers on the network. Kwampirs creates a service to ensure persistence, so that the main payload is loaded into memory duing system reboot.
"When executed, Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections," explained the Security Response Attack Investigation Team of Symantec in a blog post.
The Healthcare industry is not the sole target of Orangeworm. According to Symantec, Orangeworm is also targeting manufacturing, IT, agriculture, and logistics companies. According to Symantec, "While these industries may appear to be unrelated, we found them to have multiple links to healthcare, such as large manufacturers that produce medical imaging devices sold directly into healthcare firms, IT organizations that provide support services to medical clinics, and logistical organizations that deliver healthcare products."
The US tops the charts of victims, followed by India and European countries.