The Kwampirs RAT is a modular RAT worm that gains system access to victim machines and networks. This broad and targeted access to victim companies is meant to enable follow-on computer network exploitation (CNE) activities. The RAT is used by the OrangeWorm threat actor. Heavily targeted industries include healthcare, software supply chain, energy, finance, judiciary and engineering across Asia, America, Middle East and Europe. Similarities with the data destruction malware Shamoon have been seen. During enterprise infections, daily communication with Command and control servers was seen. Infected software supply chain vendors included products used to manage industrial control system (ICS) assets. Lateral movement via shared network and shared resources is observed. This campaign is a two-phased approach. The first phase establishes a broad and persistent presence on the targeted network, to include delivery and execution of secondary malware payload(s). The second phase includes the delivery of additional Kwampirs components or malicious payload(s) to further exploit the infected victim host(s).
Propagation, Persistence, Backdoor (Module 1):
Upon successful infection, the Kwampirs RAT propagates laterally across the targeted network via SMB port 445, using hidden admin shares such as ADMIN$ and C$. The malware maintains persistence on the infected Windows host by dropping a binary to the hard drive and creating a malicious Windows system service set to auto start upon reboot. The new malicious service scans and catalogs the host configuration, encrypts the data, and transmits it to an external Command and Control (C2) server via an HTTP GET request on port 80.
Module 2 executes additional Kwampirs RAT modular components on the infected host(s). These malicious components can allow for additional detailed collection of system and network interface configuration. This information is encrypted and transmitted to the C2 server via HTTP. Secondary module commands, to be highly targeted, and executed on critical business and / or network hosts, to include the
Secondary Modules executed on the victim host(s), include the following additional commands being executed, resulting in much deeper and thorough reconnaissance on the targeted entity. Targeted software supply chain vendors share some of the following business and operations attributes:
Significant intrusion vectors include the following: