The FBI recently gave a security warning to private organizations in the U.S. about an ongoing hacking campaign targeting software supply chain companies. It’s said that attackers are targeting companies with a remote access trojan (RAT) malware tracked as “Kwampirs”, according to a source.
“Software supply chain companies are believed to be targeted in order to gain access to the victim’s strategic partners and customers, including entities supporting Industrial Control Systems (ICS) for global energy generation, transmission, and distribution,” the FBI said in a media statement.
Apart from attacks on supply chain software providers, hackers also deployed Kwampirs malware in attacks against companies in the health care, energy, and financial sectors. The FBI alert didn’t mention the targeted software providers or any other victims of Kwampirs malware. However, it shared IOCs (indicators of compromise) and YARA rules so that companies can scan their networks for signs of the Kwampirs malware used in the recent attacks. The FBI urged organizations to scan their networks for any signs of the Kwampirs malware and report if they find any. Kwampirs malware was first discovered by Symantec in April 2018. It’s said that a hacking group named Orangeworm used Kwampirs to attack the health care, pharmaceutical, IT, manufacturing, agriculture, and logistics companies.
Updated Version of Shamoon Malware
The FBI claims that Kwampirs malware has numerous similarities with “Shamoon”, a data-wiping malware developed by the APT33 hacking group. Once injected, Shamoon malware destroys data, disrupts operations, and can lead to hijacking an organization’s network.
The agency also stated that attacks which employ Kwampirs have now targeted companies in the ICS (Industrial Control Systems) sector. The FBI said, “While the Kwampirs RAT has not been observed incorporating a wiper component, comparative forensic analysis has revealed the Kwampirs RAT as having numerous similarities with the data destruction malware Disttrack, commonly known as Shamoon.”