Kwampirs

Kwampirs is a type of malware, specifically a custom backdoor, that has been primarily targeting large healthcare sector firms across the U.S., Europe, and Asia. The malware was discovered on machines running software used to control high-tech imaging devices such as X-Ray and MRI machines, indicating a strategic focus on critical medical infrastructure. Upon execution, Kwampirs decrypts and extracts a copy of its main Dynamic Link Library (DLL) payload from its resource section, a technique that allows it to infiltrate systems and initiate malicious activities. Once inside a victim's network, Kwampirs uses aggressive methods to propagate itself, copying itself over network shares to spread throughout the system. This propagation strategy allows the malware to infect multiple machines within the network rapidly and persistently. Furthermore, the internals of Kwampirs have shown little change since its initial discovery, suggesting that previous mitigation efforts against this malware have largely been unsuccessful. To ensure its persistence in the infected systems, Kwampirs creates a service with a specific configuration that loads the main payload into memory upon each system reboot. This mechanism ensures that the malware remains active even if the system is restarted, making it difficult to remove. The continued success of Kwampirs, despite defenders' awareness and attempts at mitigation, indicates the attackers' ability to reach their intended targets and maintain a presence within the network.