Orangeworm

Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage. [1]

ID: G0071
Contributors: Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT Centre
Version: 1.1
Created: 17 October 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Orangeworm has used HTTP for C2.[2]

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Orangeworm has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS.[1]

Software

ID Name References Techniques
S0099 Arp

[1]

System Network Configuration Discovery
S0106 cmd

[1]

Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Lateral Tool Transfer, System Information Discovery
S0100 ipconfig

[1]

System Network Configuration Discovery
S0236 Kwampirs

[1]

Account Discovery: Local Account, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Fallback Channels, File and Directory Discovery, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Network Share Discovery, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Process Discovery, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Service Discovery
S0039 Net

[1]

Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0104 netstat

[1]

System Network Connections Discovery
S0103 route

[1]

System Network Configuration Discovery
S0096 Systeminfo

[1]

System Information Discovery

References

  1. Symantec Security Response Attack Investigation Team. (2018, April 23). Orangeworm: Indicators of Compromise. Retrieved July 8, 2018.