March 26, 2020
The ICS sector is under attack.
According to the Federal Bureau of Investigation (FBI), a new security threat is on the horizon for those in the Industrial Control System (ICS) sector. While the Kwampirs remote access Trojan (or RAT) is not new, it is now targeting ICS companies and especially the energy sector. The FBI alert urges companies to take action against this dangerous malware, and Castra is here to help.
Like other remote access Trojans, Kwampirs is malware that creates a backdoor into an infected network to gain access to administrative privileges on the system. These privileges allow the attacker to download and install other types of malware that could steal information, control systems, and otherwise disrupt company business. RATs are hard to detect because they carry out actions similar to legitimate applications.
Kwampirs isn’t new, but its target has changed. The threat was first discovered in 2018 by Symantec, who noted a threat group codenamed Orangeworm had used the malware to target supply chain companies providing software for the healthcare sector. Orangeworm was first identified in January 2015, conducting targeted attacks against organizations in industries related to healthcare as part of a larger supply-chain attack. Known victims included healthcare providers, pharmaceuticals, IT solution providers, equipment manufacturers that serve the healthcare industry, logistics, and even agriculture – seemingly unrelated except for the link to healthcare providers.
The malware is now being deployed against software supply chain companies linked to “strategic partners and/or customers supporting ICS for global energy generation, transmission, and distribution, according to the FBI’s private industry notification. This alert was released only to private industry entities, not the general public.
The FBI alert also warned that the current deployment of Kwampirs contains numerous similarities with Disttrack (commonly known as Shamoon), a data-wiping malware developed by Iranian-linked hacking group APT33. The Shamoon malware destroys data, disrupts operations, and can lead to hijacking the organization’s network. However, according to the FBI alert, the Kwampirs RAT has not been observed incorporating a wiper component.
The real danger of RATs is their invisibility in a world full of legitimate remote access to networks and hosts. Within this framework, RATs like Kwampirs are able to operate undiscovered, hiding in plain sight. For Kwampirs, specifically, the threat is amplified because hackers are using digital supply chain infections as a distribution means. Distribution in this manner opens the door for widespread deployment of the malware.
In fact, the pathways and services that RATs exploit remain open and hard to monitor for many organizations. While signatures exist for the detection of the most common RATs, skilled attackers can easily customize them or build their own to avoid exposure.
The FBI alert did not identify the targeted companies nor other victims of this latest attack but did share Indicators of Compromise (IOCs) and YARA rules for detection of a Kwampirs RAT infection. Most importantly, the FBI urged companies to scan networks for any sign of Kwampirs and stay vigilant in their prevention of malware in general.
- Employing an advanced malware detection system to regularly scan networks for potential attacks.
- Making sure individuals remain alert for malware attacks, as well. Some of the most common tactics could come as phishing emails with malicious links or links in text messages. Companies should warn employees not to click on anything that doesn’t come from a trusted sender.
- Ensuring that employees know not to visit or click through websites that have not been whitelisted by your company.
- Enlisting the aid of security experts to take on the daunting task of vigilance against all types of malware threats.
Are you concerned about your own company? Castra can help. Reach out to us to learn more about our malware detection and prevention solutions.