Threat Advisory: Kwampirs Trojan Campaign Continues
April 7, 2020
The FBI's Cyber Division has re-released a January Flash report for the Kwampirs Remote Access Trojan (RAT). The primary target industries are healthcare, software supply chain, energy, and engineering industries, and the secondary targets are financial institutions and law firms.
Kwampirs employs a two-phase approach. According to the FBI's Private Industry Notification, "the first phase establishes a broad and persistent presence on the targeted network, to include delivery and execution of secondary malware payload(s). The second phase includes the delivery of additional Kwampirs components or malicious payload(s) to further exploit the infected victim host(s)."
During the first phase, the Kwampirs trojan uses hidden admin shares to propagate via SMB port 445. In the second phase, which is targeted towards valuable devices (e.g. domain controllers, engineering/ICS test servers, etc.), all command and control communication is sent to the server using HTTP GET requests on port 80.
While no destructive component has been found within Kwampirs, there are code-based similarities with the destructive Shamoon malware.
Thus far, threat actors have successfully executed the Kwampirs campaign against national and local healthcare institutions globally. It was assessed that the group gained access through vendor software supply chain and hardware products. Additionally, it has been found that their presence in victim networks has ranged from 3 months to 3 years.
Kwampirs Trojan Indicators of Compromise (IOCs)
- Service name: WmiApSrvEx
- Service display name: WMI Performance Adapter Extension
- Registry key: SYSTEM\CurrentControlSet\Services \WmiApSrvEx
- Service image path: %SystemRoot%\system32\**Executable Filename**
The FBI has also identified the following Kwampirs executable filenames.
Kwampirs RAT Executable Files - Found in: c:\windows\system32\
Herjavec Group recommends the following best practices to defend against the Kwampirs trojan:
- Deploy regular updates to operating systems and applications
- Institute a good backup program, with offline backups, for servers
- Enable monitoring for system alterations with file integrity checking
- Implement a least-privilege policy on servers
- Use secure configurations on web servers by disabling/blocking unused services and ports. This also includes whitelisting and/or blocking external access to admin consoles and changing default credentials
- Deploy a web application firewall and ensure virus definitions are kept up-to-date
- Regularly conduct system and application scans to identify known risks/vulnerabilities
For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based on our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.
To learn more about how Herjavec Group can help you secure your environment, please connect with us.