First discovered in January 2015, Orangeworm has also launched targeted attacks on companies in related industries as part of an attack on larger supply chains in order to reach their primary target.
Victims known to have been infected with this attack include healthcare providers, pharmaceuticals, IT solution providers for the healthcare industry, and health equipment manufacturing companies, which the Orangeworm estimated to forcibly espouse the company.
Based on the list of infected victims, Orangeworm does not select its target randomly or perform opportunistic hacking.
Instead, the group seems to choose its target carefully and carefully, with good planning before launching an attack.
According to Symantec telemetry, nearly 40 percent of the companies that are victims of Orangeworm operate in the healthcare industry. Kwampirs malware is found on machines that have the software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines.
In addition, Orangeworm is known to have an interest in the machines used to assist patients in filling out consent forms for the various required procedures. It is unclear what the real motive behind this group attack is.
The highest number of Orangeworm casualties is in the US, accounting for 17 percent of the total number of attacks by region.
Although the Orangeworm infects only a few victims by 2016 and 2017 according to Symantec telemetry, we have observed infections in several other countries because of the scope of the victims of large international corporations.
We believe that these industries are also targeted as part of an attack on the larger supply chain in order for Orangeworms to gain access to their major healthcare-related victims.
Once the Orangeworm has infiltrated the victim's network, they deploy Trojan.Kwampirs, a backdoor Trojan that gives attackers remote access to the computers they infiltrated.
When enabled, Kwampirs decrypts and extracts a copy of the primary DLL payload from the resource portion. Before writing the payload to the drive, this Trojan enters the randomly generated string into the middle of the decrypted payload in an attempt to avoid hash-based detection.