Kwampirs

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Kwampirs is a type of malware, specifically a custom backdoor, that has been primarily targeting large healthcare sector firms across the U.S., Europe, and Asia. The malware was discovered on machines running software used to control high-tech imaging devices such as X-Ray and MRI machines, indicating a strategic focus on critical medical infrastructure. Upon execution, Kwampirs decrypts and extracts a copy of its main Dynamic Link Library (DLL) payload from its resource section, a technique that allows it to infiltrate systems and initiate malicious activities. Once inside a victim's network, Kwampirs uses aggressive methods to propagate itself, copying itself over network shares to spread throughout the system. This propagation strategy allows the malware to infect multiple machines within the network rapidly and persistently. Furthermore, the internals of Kwampirs have shown little change since its initial discovery, suggesting that previous mitigation efforts against this malware have largely been unsuccessful. To ensure its persistence in the infected systems, Kwampirs creates a service with a specific configuration that loads the main payload into memory upon each system reboot. This mechanism ensures that the malware remains active even if the system is restarted, making it difficult to remove. The continued success of Kwampirs, despite defenders' awareness and attempts at mitigation, indicates the attackers' ability to reach their intended targets and maintain a presence within the network.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Payload
Healthcare
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
OrangewormUnspecified
1
Orangeworm is a threat actor first identified in January 2015, known for its targeted attacks against organizations in the healthcare sector across the U.S., Europe, and Asia. These attacks are often part of a broader supply-chain attack strategy aimed at reaching their intended victims. The group d
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Kwampirs Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia