‘Orangeworm’ Virus Targets Healthcare Sector

Hackers known as Orangeworm are installing a backdoor malware called Trojan.Kwampirs within large corporations in the healthcare sector in the United States, Europe, and Asia, the cyber-defense firm Symantec says.

“First identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims,” Symantec says in a blog post.

“Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage,” Symantec says.

Kwampirs was found on software used for X-Rays and MRIs, and the malware also targets systems used to assist patients in completing consent forms for required procedures.

Orangeworm’s motives with the Kwampirs malware are not clear, but Symantec says it is likely the work of an individual or a small group of hackers, and the goal is corporate espionage.

Based on the list of known victims, Symantec says Orangeworm appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack.

According to Symantec telemetry, almost 40% of Orangeworm’s confirmed victim companies globally are in the healthcare industry. Of those healthcare companies, the biggest number of victims are in the United States, which accounts for 17% of infections.

Once Orangeworm has infiltrated a victim’s network, they deploy Trojan.Kwampirs, a backdoor Trojan that provides the attackers with remote access to the compromised computer, Symantec says.

“Once inside, Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections,” Symantec says.