Introduction
Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage. Symantec Orangeworm April 2018 Reverse engineering of Kwampirs, directly associated with Orangeworm activity, indicates significant functional and development overlaps with Shamoon. Cylera Kwampirs 2022
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
ATT&CK technique IDs (denormalized)
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- Backdoor.Oldrea
- Trojan.Karagany
- Unknown Logger
- Trojan.Mebromi
- UNITEDRAKE
- Kwampirs backdoor:
MITRE ATT&CK Software
- Kwampirs (S0236) β malware
- netstat (S0104) β tool
- Net (S0039) β tool
- ipconfig (S0100) β tool
- cmd (S0106) β tool
- route (S0103) β tool
- Arp (S0099) β tool
- Systeminfo (S0096) β tool
Attribution and Evidence
Information pending cataloguing.
References
[1] mitre-attack [3] Cylera Kwampirs 2022 Pablo RincΓ³n Crespo. (2022, January). The link between Kwampirs (Orangeworm) and Shamoon APTs. Retrieved February 8, 2024. [4] Symantec Orangeworm April 2018 Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.