1. Home
  2. Groups
  3. Orangeworm

Orangeworm

Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.[1] Reverse engineering of Kwampirs, directly associated with Orangeworm activity, indicates significant functional and development overlaps with Shamoon.[2]

ID: G0071
Contributors: Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT Centre
Version: 2.0
Created: 17 October 2018
Last Modified: 10 April 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Orangeworm has used HTTP for C2.[3]
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Orangeworm has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS.[1]

Software

ID Name References Techniques
S0099 Arp [1] Remote System Discovery, System Network Configuration Discovery
S0106 cmd [1] Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal: File Deletion, Ingress Tool Transfer, Lateral Tool Transfer, System Information Discovery
S0100 ipconfig [1] System Network Configuration Discovery
S0236 Kwampirs [1] Account Discovery: Local Account, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Fallback Channels, File and Directory Discovery, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Network Share Discovery, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Binary Padding, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Service Discovery
S0039 Net [1] Account Discovery: Domain Account, Account Discovery: Local Account, Account Manipulation: Additional Local or Domain Groups, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0104 netstat [1] System Network Connections Discovery
S0103 route [1] System Network Configuration Discovery
S0096 Systeminfo [1] System Information Discovery

References

  1. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  2. Pablo Rincón Crespo. (2022, January). The link between Kwampirs (Orangeworm) and Shamoon APTs. Retrieved February 8, 2024.
  1. Symantec Security Response Attack Investigation Team. (2018, April 23). Orangeworm: Indicators of Compromise. Retrieved July 8, 2018.