Kwampirs
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
Kwampirs establishes persistence by adding a new service with the display name "WMI Performance Adapter Extension" in an attempt to masquerade as a legitimate WMI service.[1] |
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
Kwampirs creates a new service named WmiApSrvEx to establish persistence.[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Kwampirs decrypts and extracts a copy of its main DLL payload when executing.[1] |
|
| Enterprise | T1008 | 回退信道 |
Kwampirs uses a large list of C2 servers that it cycles through until a successful connection is established.[1] |
|
| Enterprise | T1201 | 密码策略发现 |
Kwampirs collects password policy information with the command |
|
| Enterprise | T1083 | 文件和目录发现 |
Kwampirs collects a list of files and directories in C:\ with the command |
|
| Enterprise | T1069 | .001 | 权限组发现: Local Groups |
Kwampirs collects a list of users belonging to the local users and administrators groups with the commands |
| .002 | 权限组发现: Domain Groups |
Kwampirs collects a list of domain groups with the command |
||
| Enterprise | T1027 | .001 | 混淆文件或信息: Binary Padding |
Before writing to disk, Kwampirs inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.[1] |
| .013 | 混淆文件或信息: Encrypted/Encoded File |
Kwampirs downloads additional files that are base64-encoded and encrypted with another cipher.[3] |
||
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 |
Kwampirs uses rundll32.exe in a Registry value added to establish persistence.[1] |
| Enterprise | T1082 | 系统信息发现 |
Kwampirs collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Kwampirs collects registered owner details by using the commands |
|
| Enterprise | T1007 | 系统服务发现 |
Kwampirs collects a list of running services with the command |
|
| Enterprise | T1049 | 系统网络连接发现 |
Kwampirs collects a list of active and listening connections by using the command |
|
| Enterprise | T1016 | 系统网络配置发现 |
Kwampirs collects network adapter and interface information by using the commands |
|
| Enterprise | T1135 | 网络共享发现 |
Kwampirs collects a list of network shares with the command |
|
| Enterprise | T1087 | .001 | 账号发现: Local Account |
Kwampirs collects a list of accounts with the command |
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1057 | 进程发现 |
Kwampirs collects a list of running services with the command |
|
| Enterprise | T1021 | .002 | 远程服务: SMB/Windows Admin Shares |
Kwampirs copies itself over network shares to move laterally on a victim network.[1] |
| Enterprise | T1018 | 远程系统发现 |
Kwampirs collects a list of available servers with the command |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0071 | Orangeworm |
References
- Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
- Pablo Rincón Crespo. (2022, January). The link between Kwampirs (Orangeworm) and Shamoon APTs. Retrieved February 8, 2024.