forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathorangeworm_attack_group.yml
42 lines (39 loc) · 2.2 KB
/
orangeworm_attack_group.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
name: Orangeworm Attack Group
id: bb9f5ed2-916e-4364-bb6d-97c370efcf52
version: 2
date: '2020-01-22'
author: David Dorsey, Splunk
description: Detect activities and various techniques associated with the Orangeworm
Attack Group, a group that frequently targets the healthcare industry.
narrative: 'In May of 2018, the attack group Orangeworm was implicated for installing
a custom backdoor called Trojan.Kwampirs within large international healthcare corporations
in the United States, Europe, and Asia. This malware provides the attackers with
remote access to the target system, decrypting and extracting a copy of its main
DLL payload from its resource section. Before writing the payload to disk, it inserts
a randomly generated string into the middle of the decrypted payload in an attempt
to evade hash-based detections.\
Awareness of the Orangeworm group first surfaced in January, 2015. It has conducted
targeted attacks against related industries, as well, such as pharmaceuticals and
healthcare IT solution providers.\
Healthcare may be a promising target, because it is notoriously behind in technology,
often using older operating systems and neglecting to patch computers. Even so,
the group was able to evade detection for a full three years. Sources say that the
malware spread quickly within the target networks, infecting computers used to control
medical devices, such as MRI and X-ray machines.\
This Analytic Story is designed to help you detect and investigate suspicious activities
that may be indicative of an Orangeworm attack. One detection search looks for command-line
arguments. Another monitors for uses of sc.exe, a non-essential Windows file that
can manipulate Windows services. One of the investigative searches helps you get
more information on web hosts that you suspect have been compromised.'
references:
- https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia
- https://www.infosecurity-magazine.com/news/healthcare-targeted-by-hacker/
tags:
analytic_story: Orangeworm Attack Group
category:
- Malware
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection