FBI Warns of Ongoing Kwampirs Malicious Malware Attack Targeting Global Industries


A malicious program targets organizations from a wide variety of industries, with a piece of malware known as Kwampirs, warns the Federal Investigation Bureau.

Initially outlined in 2018, the malware is a custom backdoor affiliated with a threat actor identified as Orangeworm, which has been active since at least 2015, primarily targeting healthcare sector organizations but also launching attacks on healthcare-related sectors, including IT, manufacturing, and logistics.

According to the FBI, attacks involving the Kwampirs Remote Access Trojan (RAT) have occurred since 2016, targeting healthcare, the software supply chain, resources, and engineering companies in the United States, Europe, Asia, and the Middle East. It also threatened financial institutions and prominent law firms.

According to the FBI’s warning, although the backdoor does not include components of a wiper or destructive module, the data destruction malware Disttrack, better known as Shamoon, has code-based similarities.

The malware has been actively employed by large transnational healthcare corporations and local hospital associations in assaults on healthcare institutions worldwide. In some instances, the infections propagate across the corporate networks, reads the FBI’s warning (PDF).

“The FBI assesses Kwampirs actors gained access to a large number of global hospitals through vendor software supply chain and hardware products. Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals,” the agency says.

The two-stage attacks begin with the requirement that broad and continuous access to the target network can be developed for secondary payloads to be deployed and performed. First, the attackers supply the infected hosts with additional Kwampires or payloads.

Stealth allowed the threat actor to retain long-term access in some cases up to 3 years to the infected networks. Also, the attackers were found to deploy a targeted recognition application.

The attackers collected information from the affected Networks about primary and secondary domain controllers, engineering servers for ICS products and devices, software development servers for source code storage, and file servers, as general research and development (R&D) repositories.

Target supply chain supply providers provide business products and services to multi-industry imaging firms, co-develop products with worldwide tech companies and ERP (Enterprise Resource Planning), and provide ICS-supporting products and services.

During fusion and acquisition, infections occur during co-development, by conventional means and through infected devices of supply chain providers installed in the customer LAN / cloud infrastructure. Infections occur during fusion and acquisition.

“Kwampirs campaign actors have targeted companies in the imaging industry, to include networked scanner and copier-type devices, with domain access to customer networks. The FBI assesses these imaging vendors are targeted to gain access to customer networks, including remote or cloud management access, which could permit lateral CNE movement within victim networks,” the FBI says.

The warning also underlines that the modular nature of the RAT Kwampirs enables attackers, via secondary modules, to take advantage of additional network activity. The FBI also reports that endpoint security solutions can not remedy these modules.

Infected companies will contact their information security suppliers and coordinate efforts with the FBI to reduce the risk of infection. Victims are advised to collect network traffic, generate pictures of the infected host, collect web proxy logs and DNS and firewall logs, identify hosts with C&C servers, and identify patient zero and attacks vectors to support the organization.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.