COVID-19 scams: FBI warns of ‘Kwampirs’ attacks

The Federal Bureau of Investigation (FBI) has sent a security alert to the U.S. private sector about an ongoing hacking campaign that’s targeting supply chain software providers. the FBI says hackers are attempting to infect companies with the Kwampirs malware, a remote access trojan (RAT).

Cybercriminals and nation-state actors alike are leveraging the COVID-19 pandemic to weasel personal informational, financial data, dollars and access to systems from their victims, from consumers to healthcare organizations and supply chain companies, the FBI warned this week in a pair of alerts.

For the third time in as many months, the FBI called out state-sponsored hackers who are using Kwampirs malware in supply chain and healthcare-related attacks. In a two-phase campaign the miscreants launch a broad attack on a network, where they’ve been found to reside for as long as three years, delivering and executing secondary malware payloads. During the second phase the campaign delivers additional Kwampirs components or malicious payloadsallow.

For the healthcare sector, the Kwampirs operations have been highly effective. The threat actors have gained broad and sustained access to those targeted entities, ranging from “major transnational healthcare companies to local hospital organizations.

Hackers have managed to locally infect machines, as well as enterprise malware infections. “During these campaigns, the Kwampirs RAT performed daily command and control communications with malicious IP addresses and domains that were hard-coded in the Kwampirs RAT malware,” officials wrote.

The FBI assesses Kwampirs actors gained access to a large number of global hospitals through vendor software supply chain and hardware products,” they added. “Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals.”

The attacks use a two-phased approach. First, the hacker will establish a broad and persistent presence on the targeted network, which includes the delivery and execution of secondary malware payloads. Next, the threat actors deliver additional Kwampirs components or malicious payloads for further exploitation of the victims’ network.

The FBI warns that hackers have managed to successfully fain and sustain persistent presence on victim networks between three to 36 months, then deployed a targeted secondary module to perform detailed reconnaissance.

The Kwampirs malware was first described in a report published by US cyber-security firm Symantec in April 2018. At the time, Symantec said a group codenamed Orangeworm had used the Kwampirs malware to similarly target supply chain companies that provided software for the healthcare sector. The FBI, however, claims that new evidence from code analysis suggests that Kwampirs contains “numerous similarities” with Shamoon, an infamous data-wiping malware.

While the Kwampirs RAT has not been observed incorporating a wiper component, comparative forensic analysis has revealed the Kwampirs RAT as having numerous similarities with the data destruction malware Disttrack (commonly known as Shamoon),” the FBI said. The Shamoon malware has been used in multiple data. -wiping attacks against companies in the energy sector, and more specifically, in the oil & gas fields. The FBI urged companies to scan networks for any signs of Kwampirs and report any infections.

In another alert the FBI warned consumers that “scammers are leveraging the COVID-19 pandemic to steal your money, your personal information, or both” through fake CDC and phishing emails and by offering counterfeit treatments or equipment.”