ReversingLabs has analyzed clues from attacks by the Kwampirs remote access trojan (RAT) to help software companies defend their organizations against this malware.

Organizations must protect their software development environment and make sure that their suppliers are not compromised, the security firm stated in “Unpacking Kwampirs RAT: From threat hunting to threat intelligence.” Tomislav Peričin, the chief software architect and co-founder at ReversingLabs, wrote the analysis.

The security company used breadcrumbs left in the network configuration to document the malware network infrastructure that supported the attack carried out by the Orangeworm group. Symantec first identified the hackers and their weapon of choice in 2018. In that same year, Symantec also reported that Kwampirs malware was found on many hospital systems, including X-Ray and MRI machines, and on devices patients use to complete consent forms.

The FBI warned recently that attacks employing Kwampirs have now evolved to targeting companies in the ICS (Industrial Control Systems) sector, and especially the energy sector.

SEE: Cybersecurity: Let’s get tactical (free PDF)

“Software supply chain companies are believed to be targeted in order to gain access to the victim’s strategic partners and/or customers, including entities supporting Industrial Control Systems for global energy generation, transmission, and distribution,” the FBI said in a private industry notification as reported by ZDNet in early February.

In addition to attacks against supply chain software providers, the FBI said the same malware was also used in attacks against healthcare, energy, and financial companies.

ReversingLabs states that from the threat analysis viewpoint, the most important part of this malware is its configuration because it is essentially a remote access trojan.

ReversingLabs started with publicly available YARA rules for Kwampirs and matched that information against all samples collected by the Titanium Platform in the last 90 days. Here is what they found.

Understanding the attack

ReversingLabs collected data samples from Kwampirs attacks to write a reliable malware configuration parser that extracts network configurations from the samples.

Each of the Kwampirs samples collected by ReversingLabs came with a set of 200 control server URLs. Malicious operations are usually carried out in campaigns that share the same control server infrastructure.

ReversingLabs was particularly looking for command-and-control (C2) URLs. These URLs are interesting because of how the malware finds active C2 servers. Every sample comes with a hardcoded list of 200 URLs that Kwampirs tries to access in sequential order. The C2 locations are either in the form of domain names or IP addresses. The malware uses the first active URL it finds as the C2 server.

Because the malware configuration is hidden in the installer that drops the DLL onto the
system, an unpacker needs to be created to use with the parser. This unpacker decomposes the installation component and extracts the DLL, allowing the parser to collect the necessary C2

Using these two methods, ReversingLabs identified 1,586 URLs. Analyzing these URLs revealed that some of the droppers used the same payload, even though their hashes were different. The only difference among the files was a 64-byte string used for random file name generation. ReversingLabs suggests this means the “new dropper samples recently seen in the cloud are freshly compiled, even though they use the old DLL payloads.”

Understanding the malware design

The next step in the Kwampirs RAT analysis was to group data samples into campaigns to understand how the attack was carried out. Malware attacks often come in waves and use the same control server structure. ReversingLabs was able to organize the sample data files into groups by using two pieces of metadata: rich header information and the file compilation timestamp.

Rich header metadata contains information about the compiling and linking processes. In this case, rich header showed that all samples were compiled with Visual Studio 2010. The timestamps did not correlate with their first appearance, which was in May 2015 and afterward. In fact, they all appeared as if they had been compiled a few years before their appearance in the cloud, which probably means that the samples were compiled in a virtual machine with deliberately inaccurate timestamps.

Further analysis confirmed that most of the campaigns were connected by one or multiple control domains.

Improving security defenses

ReversingLabs created a list of indicators of compromise (IOC) based on this Kwampirs RAT analysis. Companies can use these IOCs to create new blocking firewall and intrusion detection rules and to search SIEM logs for infected endpoints.

In a 2018 report about Kwampirs, Symantec stated that once inside a victim’s network Kwampirs propagates itself by copying itself over network shares. Symantec speculates that this tactic works best in environments that run older operating systems such as Windows XP, like the healthcare industry.