Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Kwampirs
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Kwampirs
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Kwampirs

Kwampirs is a backdoor Trojan used by Orangeworm. Kwampirs has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines.(Citation: Symantec Orangeworm April 2018) Kwampirs has multiple technical overlaps with Shamoon based on reverse engineering analysis.(Citation: Cylera Kwampirs 2022)
ID: S0236
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 17 Oct 2018
Last Modified: 11 Apr 2024

Techniques Used
Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Kwampirs collects a list of accounts with the command net users.(Citation: Symantec Orangeworm April 2018)
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Kwampirs creates a new service named WmiApSrvEx to establish persistence.(Citation: Symantec Orangeworm April 2018)
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Kwampirs establishes persistence by adding a new service with the display name "WMI Performance Adapter Extension" in an attempt to masquerade as a legitimate WMI service.(Citation: Symantec Orangeworm April 2018)
Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Before writing to disk, Kwampirs inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.(Citation: Symantec Orangeworm April 2018)
.013 Obfuscated Files or Information: Encrypted/Encoded File

Kwampirs downloads additional files that are base64-encoded and encrypted with another cipher.(Citation: Symantec Security Center Trojan.Kwampirs)

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

Kwampirs collects a list of users belonging to the local users and administrators groups with the commands net localgroup administrators and net localgroup users.(Citation: Symantec Orangeworm April 2018)
.002 Permission Groups Discovery: Domain Groups

Kwampirs collects a list of domain groups with the command net localgroup /domain.(Citation: Symantec Orangeworm April 2018)

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Kwampirs copies itself over network shares to move laterally on a victim network.(Citation: Symantec Orangeworm April 2018)
Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Kwampirs uses rundll32.exe in a Registry value added to establish persistence.(Citation: Symantec Orangeworm April 2018)

Groups That Use This Software
ID Name References
G0071 Orangeworm

(Citation: Symantec Orangeworm April 2018)

References

  1. Pablo Rincón Crespo. (2022, January). The link between Kwampirs (Orangeworm) and Shamoon APTs. Retrieved February 8, 2024.
  2. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  3. Moench, B. and Aboud, E. (2016, August 23). Trojan.Kwampirs. Retrieved May 10, 2018.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.