S0236 Kwampirs
Kwampirs is a backdoor Trojan used by Orangeworm. Kwampirs has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines.2 Kwampirs has multiple technical overlaps with Shamoon based on reverse engineering analysis.1
| Item | Value |
|---|---|
| ID | S0236 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 17 October 2018 |
| Last Modified | 11 April 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | Kwampirs collects a list of accounts with the command net users.2 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Kwampirs creates a new service named WmiApSrvEx to establish persistence.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Kwampirs decrypts and extracts a copy of its main DLL payload when executing.2 |
| enterprise | T1008 | Fallback Channels | Kwampirs uses a large list of C2 servers that it cycles through until a successful connection is established.2 |
| enterprise | T1083 | File and Directory Discovery | Kwampirs collects a list of files and directories in C:\ with the command dir /s /a c:\ >> “C:\windows\TEMP[RANDOM].tmp”.2 |
| enterprise | T1105 | Ingress Tool Transfer | Kwampirs downloads additional files from C2 servers.3 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | Kwampirs establishes persistence by adding a new service with the display name “WMI Performance Adapter Extension” in an attempt to masquerade as a legitimate WMI service.2 |
| enterprise | T1135 | Network Share Discovery | Kwampirs collects a list of network shares with the command net share.2 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.001 | Binary Padding | Before writing to disk, Kwampirs inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.2 |
| enterprise | T1027.013 | Encrypted/Encoded File | Kwampirs downloads additional files that are base64-encoded and encrypted with another cipher.3 |
| enterprise | T1201 | Password Policy Discovery | Kwampirs collects password policy information with the command net accounts.2 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.001 | Local Groups | Kwampirs collects a list of users belonging to the local users and administrators groups with the commands net localgroup administrators and net localgroup users.2 |
| enterprise | T1069.002 | Domain Groups | Kwampirs collects a list of domain groups with the command net localgroup /domain.2 |
| enterprise | T1057 | Process Discovery | Kwampirs collects a list of running services with the command tasklist /v.2 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | Kwampirs copies itself over network shares to move laterally on a victim network.2 |
| enterprise | T1018 | Remote System Discovery | Kwampirs collects a list of available servers with the command net view.2 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | Kwampirs uses rundll32.exe in a Registry value added to establish persistence.2 |
| enterprise | T1082 | System Information Discovery | Kwampirs collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands systeminfo, net config workstation, hostname, ver, set, and date /t.2 |
| enterprise | T1016 | System Network Configuration Discovery | Kwampirs collects network adapter and interface information by using the commands ipconfig /all, arp -a and route print. It also collects the system’s MAC address with getmac and domain configuration with net config workstation.2 |
| enterprise | T1049 | System Network Connections Discovery | Kwampirs collects a list of active and listening connections by using the command netstat -nao as well as a list of available network mappings with net use.2 |
| enterprise | T1033 | System Owner/User Discovery | Kwampirs collects registered owner details by using the commands systeminfo and net config workstation.2 |
| enterprise | T1007 | System Service Discovery | Kwampirs collects a list of running services with the command tasklist /svc.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0071 | Orangeworm | 2 |
References
-
Pablo Rincón Crespo. (2022, January). The link between Kwampirs (Orangeworm) and Shamoon APTs. Retrieved February 8, 2024. ↩
-
Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Moench, B. and Aboud, E. (2016, August 23). Trojan.Kwampirs. Retrieved May 10, 2018. ↩↩