FBI Reports APT Group Using Kwampirs Malware to Infect Computers for Years Before Detection
The US Federal Bureau of Investigations (FBI) issued an alert the states that an Advanced Persistent Threat (APT) group is using Kwampirs Remote Access Trojan (RAT). The malware may infect IT systems by gaining access through third-party supply chain vendors. Kwampirs malware has been noted as persisting on network from three months to three years before detection. The malware attacks have been effective at gaining broad and sustained access to targeted entities computers and IT networks.
Previous alerts have covered YARA rules to identify, sort, and classify malware, and indicators of compromise, or IOCs. Coronavirus thened malware attacks have increased
This FBI alert states, “The Kwampirs RAT is a modular RAT worm that gains system access to victim machines and networks, with the primary purpose of gaining broad, yet targeted, access to victim companies to enable follow-on computer network exploitation (CNE) activities.”
The goal of Kwampirs RAT is to acquire access to computers and IT networks for future follow-on computer network exploitation (CNE) activities. The APT group attacks companies in the United States, Europe, Asia, and the Middle East. Typical targeted industries include healthcare, software supply chain, energy sectors, and engineering firms but may also include financial institutions and major law firms. This malware has been around since about 2016.
Healthcare Sector targets range from major transnational healthcare companies to local hospital organizations and may target a few computers or the entire network. In these attacks, hospitals are compromised through vendor software supply chain and hardware products.
These cyberattacks target vendors in the imaging industry – networked document scanners and copiers – that have access to customer networks. The access required but the vendor’s equipment is targeted with malware to gain access to customers’ IT networks. Kwampirs RAT is modular and may download other malware payloads as move laterally across the infected network and spread to more computers.
Global imaging business products and services in the Enterprise Resource Planning (ERP) industry or that handle ICS maintenance functions may serve multiple industries like the healthcare and energy sectors, making them ideal targets for this APT group.
Hackers take advantage of mergers and acquisition and during the software co-development processes. The software supply chain vendor’s devices may be infected, and the malware is passed along to the devices installed on the customer’s network or cloud infrastructure.
To Defend Against Malware and Other Cyber Attacks, the FB Recommends Best Practices for Network Security and Defense:
- Schedule regular updates to applications and the host operating system
- Keep a copy of backups offline with a “known good” version
- Implement a least-privileges policy to help stop hackers and malware from escalating privileges
- Conduct regular system and application vulnerability scans
- Deploy a Web application firewall
