New Backdoor Malware Has Been Spying on the Healthcare Sector

Oh man, this is gonna be a doozy for the Healthcare Industry. A cybercriminal group has started to make their rounds and attack the Medical Sector once again. This time, however, it’s done in order to conduct espionage rather than destroying the infrastructure.

These targeted attacks are carried out against a small number of selected organizations as well as the supply chains which serve them, with the tactics and use of custom malware suggesting the attacks are the work of an a cybercriminal group working for its own ends – not that of a government.

This attack was found by our good friends at Symantec who has identified the group called “Orangeworm” and identified the custom backdoor Trojan.Kwampirs. This backdoor targets the aforementioned groups for the sake of corporate espionage.

“The targeting of large multinational corporations that work directly in or related to the healthcare space has been a consistent theme with Orangeworm since their discovery,” Alan Neville, Threat Researcher at Symantec told ZDNet.

This virus has been found in many of the machines used within the Healthcare Sector. These machines include X-Ray and MRI machines among tools that assist patients in completing consent forms. However, the focus of the attack doesn’t seem to be stealing the information, rather how these machines work.

“We have no evidence to suggest that the attackers copied images. It’s more likely the group are interested in learning how these devices operate,” said Neville. As such, it’s heavily suggested that this attack is rather a work of reconnaissance.

According to Symantec Telemetry, almost 40 percent of Orangeworm’s confirmed victim organizations operate within the healthcare industry. Not only that but if you look at the graph below, you will see that the affected parties spread across multiple sections of the world.

This backdoor malware is also capable of performing activities that prevent it from being located by Anti-Virus software. As such, it could be considered a Polymorphic worm due to the way it works, making it a bigger threat than before.

Thankfully, the method of prevention from contamination is quite simple. All the user needs to do is use security software and keeping anti-virus software up to date. However, affected users might want to consult with specialists before risking any more information leaks.