Orangeworm APT And Kwampirs Backdoor

An advanced persistent threat (APT) group has been observed targeting large healthcare organisations throughout Europe, the USA and Asia. Known as Orangeworm, the group use a custom backdoor called Kwampirs.

According to Symantec telemetry, almost 40 percent of Orangeworm’s confirmed victim organizations operate within the healthcare industry.

The group perform extensive research to identify suitable targets; although it is unclear at the time of publication how they compromise devices, with reports indicating spear-phishing emails have been used. Once on a device, Kwampirs will aggressively propagate through the network using SMB. It will copy itself to all network shares and file servers where it will then infect any user who connects to them.

Orangeworm will then target a subset of the infected devices for further scrutiny, exfiltrating any data they deem usable. The motive behind the attacks appears to be the collection of patient data; with infections observed on medical devices such as X-ray machines, GP booking systems and prescription services.

Once Orangeworm has infiltrated a victim’s network, they deploy Trojan.Kwampirs, a backdoor Trojan that provides the attackers with remote access to the compromised computer.

When executed, Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.

To ensure persistence, Kwampirs creates a service with the following configuration to ensure that the main payload is loaded into memory upon system reboot:





The backdoor also collects some rudimentary information about the compromised computer including some basic network adapter information, system version information, and language settings. Orangeworm likely uses this information to determine whether the system is used by a researcher or if the victim is a high-value target.

The Trojan Kwampirs opens a back door and connects to the following URLs to download additional files :-

Kwampirs Backdoor Connections

  • www.ikjservjfn.ca/group/main.php?q=[ENCRYPTED DATA]
  • www.fjrjfnjfnikjyhd.biz/users/group/index/default.aspx?q=[ENCRYPTED DATA]
  • www.pbnmainfjrikjikj.nl/main.php?q=[ENCRYPTED DATA]
  • 18.50.115.97/default.asp?q=[ENCRYPTED DATA]
  • ncjpbnyhd.com/newusers/main.php?q=[ENCRYPTED DATA]
  • powerikj.biz/main/default/default.php?q=[ENCRYPTED DATA]
  • servncdnservnrj.info/new/mainlogin.php?q=[ENCRYPTED DATA]
  • www.dswsite.nl/users/main.php?q=[ENCRYPTED DATA]
  • kcnnrjyhdjfn.in/newnew/index/main.aspx?q=[ENCRYPTED DATA]
  • sitekcnnrjsrvpbn.fr/mainhome/index.php?q=[ENCRYPTED DATA]
  • ikjpbnservikjyhd.ca/mainhomemain.aspx?q=[ENCRYPTED DATA]
  • www.jfnnrjservncdn.nl/group/defaultdefaultlogin.asp?q=[ENCRYPTED DATA]
  • 82.19.47.135/group/homeindex.asp?q=[ENCRYPTED DATA]
  • ncdnjfnyhdpbnncj.nl/index/default.aspx?q=[ENCRYPTED DATA]
  • www.fjrdswkcnpowerjfn.nl/users/default.php?q=[ENCRYPTED DATA]
  • 77.52.54.90/default.php?q=[ENCRYPTED DATA]
  • srvdswnrj.nl/groupusers/homehomeindex.asp?q=[ENCRYPTED DATA]
  • dswdswnrj.co/group/mainloginmain.php?q=[ENCRYPTED DATA]
  • 50.96.137.35/main/default.asp?q=[ENCRYPTED DATA]
  • pbnsrv.org/logindefault.php?q=[ENCRYPTED DATA]
  • dswpbnkcnmain.ch/default/default.asp?q=[ENCRYPTED DATA]
  • ncjpowerkcn.fr/login.php?q=[ENCRYPTED DATA]
  • ncdndswjfnsite.com/indexdefault.php?q=[ENCRYPTED DATA]
  • 123.36.79.40/users/main.asp?q=[ENCRYPTED DATA]
  • www.fjrnrjncdnyhdncj.com/new/main/default.asp?q=[ENCRYPTED DATA]
  • 85.103.89.112/new/homemain/main.aspx?q=[ENCRYPTED DATA]
  • 185.86.149.207/index.php?q=[ENCRYPTED DATA]
  • 75.31.30.28/new/main.php?q=[ENCRYPTED DATA]
  • powerfjr.info/usersusers/home/login/main.asp?q=[ENCRYPTED DATA]
  • www.dswfjrncjncdnyhd.nl/users/login/home.php?q=[ENCRYPTED DATA]
  • nrjmainkcnmain.org/newgroup/home.php?q=[ENCRYPTED DATA]
  • 121.99.107.52/groupgroup/default.aspx?q=[ENCRYPTED DATA]
  • dswfjr.nl/groupnew/homedefault/home.php?q=[ENCRYPTED DATA]
  • jfnpowerdsw.tk/indexlogin/main.php?q=[ENCRYPTED DATA]
  • nrjyhdfjrpowerncj.in/login.php?q=[ENCRYPTED DATA]
  • dswsite.com/login.php?q=[ENCRYPTED DATA]
  • powerpbnsitemain.ch/home.php?q=[ENCRYPTED DATA]
  • www.ikjncdn.ch/loginindex.php?q=[ENCRYPTED DATA]
  • 112.120.61.142/users/default/main.aspx?q=[ENCRYPTED DATA]
  • pbnncdnkcnncjikj.org/default.aspx?q=[ENCRYPTED DATA]
  • www.yhdnrjjfnikj.in/users/home.asp?q=[ENCRYPTED DATA]
  • 106.140.87.79/index/loginmain.aspx?q=[ENCRYPTED DATA]
  • nrjyhdncdnncjsrv.biz/main.php?q=[ENCRYPTED DATA]
  • kcnpbn.ch/group/users/login/default.php?q=[ENCRYPTED DATA]
  • dswyhdikjpower.fr/usersusers/index.php?q=[ENCRYPTED DATA]
  • mainkcn.biz/new/loginindexlogin.aspx?q=[ENCRYPTED DATA]
  • dswpowersite.ca/users/home.php?q=[ENCRYPTED DATA]
  • 20.38.100.106/login.php?q=[ENCRYPTED DATA]
  • www.mainnrj.nl/users/index/home.php?q=[ENCRYPTED DATA]
  • ikjjfn.biz/default/homelogin.php?q=[ENCRYPTED DATA]
  • nrjserv.com/group/default.aspx?q=[ENCRYPTED DATA]
  • kcnkcnmainservjfn.info/homehome/default.php?q=[ENCRYPTED DATA]
  • fjrpbn.in/users/default.aspx?q=[ENCRYPTED DATA]
  • www.srvservikjdswnrj.in/index/home.aspx?q=[ENCRYPTED DATA]
  • dswyhdpbnyhd.com/group/users/loginindex.php?q=[ENCRYPTED DATA]
  • servjfnservjfndsw.nl/group/main.asp?q=[ENCRYPTED DATA]
  • 35.72.47.18/users/users/home/indexindex.php?q=[ENCRYPTED DATA]
  • powerserv.nl/new/main.asp?q=[ENCRYPTED DATA]
  • 98.106.41.39/groupusers/index.asp?q=[ENCRYPTED DATA]
  • dswsitemain.in/home.asp?q=[ENCRYPTED DATA]
  • ikjyhd.nl/default/loginlogin.php?q=[ENCRYPTED DATA]
  • srvmainkcnsite.biz/indexloginhome.asp?q=[ENCRYPTED DATA]
  • servsiteyhdjfnserv.co/group/default.php?q=[ENCRYPTED DATA]
  • yhdncjsitefjr.tk/homelogin.aspx?q=[ENCRYPTED DATA]
  • www.sitencjdswyhdserv.nl/loginhomemain.php?q=[ENCRYPTED DATA]
  • kcnncjnrjnrjfjr.in/group/default/main/home.php?q=[ENCRYPTED DATA]
  • www.kcnyhd.ro/group/group/login/main/home.php?q=[ENCRYPTED DATA]
  • 77.42.100.90/usersgroup/home.asp?q=[ENCRYPTED DATA]
  • ikjpowersrvdswsrv.com/main.php?q=[ENCRYPTED DATA]
  • 64.116.80.23/newusers/homemain/home.php?q=[ENCRYPTED DATA]
  • 66.102.139.145/users/default/main.aspx?q=[ENCRYPTED DATA]
  • 74.59.119.64/defaultdefaultlogin.php?q=[ENCRYPTED DATA]
  • www.jfnncj.org/new/users/homeindex.aspx?q=[ENCRYPTED DATA]
  • jfndsw.fr/new/loginhome.php?q=[ENCRYPTED DATA]
  • fjrsitesite.nl/group/mainindexlogin.php?q=[ENCRYPTED DATA]
  • 32.22.134.10/groupusers/default.php?q=[ENCRYPTED DATA]
  • www.dswkcnncdnsrv.info/group/new/index.php?q=[ENCRYPTED DATA]
  • www.pbnmainkcn.cn/users/users/default.php?q=[ENCRYPTED DATA]
  • 97.11.88.108/login.php?q=[ENCRYPTED DATA]
  • 5.27.122.119/users/users/homeindex/login.php?q=[ENCRYPTED DATA]
  • www.nrjfjrkcnsite.org/index/defaultlogin.php?q=[ENCRYPTED DATA]
  • yhdncj.biz/new/default/home.aspx?q=[ENCRYPTED DATA]
  • www.srvfjrncj.ru/users/group/index/login/default?q=[ENCRYPTED DATA]

C&C Servers

65.116.107.24

13.44.61.126

56.28.111.63

118.71.138.69

117.32.65.101

18.25.62.70

92.137.43.17

33.25.72.21

16.48.37.37

91.29.51.11

Affected Platforms

Microsoft Windows – All versions

Medical Devices




Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: