The OrangeWorm group was named and described by the Symantec Company in different blog entries [1] [2]. We would highlight from these entries that it is a group that has been operational since 2015 and is focused on attacking the health, pharmaceutical, technological, manufacturing and logistics sectors. The sector most affected is healthcare as described by Symantec.
Based on this information, Lab52 has carried out an in-depth study of the Kwampirs tool (OrangeWorm’s main tool) used by this group.
Next, the RAT (Remote Administration Tool) in Dll format and the main binary or orchestrator of the infection will be analyzed.
Technical analysis of Kwampirs Dropper
Within its arsenal, OrangeWorm has a RAT in DLL format whose execution and lateral movement is carried out by an executable together with the one that composes the threat known as Kwampirs.
Regarding the executable, which we will call “Kwampirs Dropper” initially highlight its resources, among which are two images with corrupt sections. One of which consists of the DLL with RAT capabilities encrypted with an XOR key that in each execution extracts, decrypts and executes: [Read more…]