GROUPS
  1. Home
  2. Groups
  3. Orangeworm

Orangeworm

Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage. [1]

ID: G0071
Aliases: Orangeworm
Contributors: Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT Centre

Version: 1.0

Alias Descriptions

NameDescription
Orangeworm[1]

Techniques Used

DomainIDNameUse
EnterpriseT1071Standard Application Layer ProtocolOrangeworm has used HTTP for C2.[2]
EnterpriseT1077Windows Admin SharesOrangeworm has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS.[1]

Software

IDNameTechniques
S0099ArpSystem Network Configuration Discovery
S0106cmdCommand-Line Interface, File and Directory Discovery, File Deletion, Remote File Copy, System Information Discovery
S0100ipconfigSystem Network Configuration Discovery
S0236KwampirsAccount Discovery, Binary Padding, Deobfuscate/Decode Files or Information, Fallback Channels, File and Directory Discovery, Masquerading, Network Share Discovery, New Service, Obfuscated Files or Information, Password Policy Discovery, Permission Groups Discovery, Process Discovery, Remote File Copy, Remote System Discovery, Rundll32, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Service Discovery, Windows Admin Shares
S0039NetAccount Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0104netstatSystem Network Connections Discovery
S0103routeSystem Network Configuration Discovery
S0096SysteminfoSystem Information Discovery

References

  1. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  1. Symantec Security Response Attack Investigation Team. (2018, April 23). Orangeworm: Indicators of Compromise. Retrieved July 8, 2018.