Orangeworm

Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.^[1] Reverse engineering of Kwampirs, directly associated with Orangeworm activity, indicates significant functional and development overlaps with Shamoon.^[2]

ID: G0071

Contributors: Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT Centre

Version: 2.0

Created: 17 October 2018

Last Modified: 10 April 2024

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	应用层协议: Web Protocols	Orangeworm has used HTTP for C2.^[3]
Enterprise	T1021	.002	远程服务: SMB/Windows Admin Shares	Orangeworm has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS.^[1]

Software

ID	Name	References	Techniques
S0099	Arp	^[1]	系统网络配置发现, 远程系统发现
S0106	cmd	^[1]	命令与脚本解释器: Windows Command Shell, 文件和目录发现, 横向工具传输, 移除指标: File Deletion, 系统信息发现, 输入工具传输
S0100	ipconfig	^[1]	系统网络配置发现
S0236	Kwampirs	^[1]	伪装: Masquerade Task or Service, 创建或修改系统进程: Windows Service, 反混淆/解码文件或信息, 回退信道, 密码策略发现, 文件和目录发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Binary Padding, 系统二进制代理执行: Rundll32, 系统信息发现, 系统所有者/用户发现, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 账号发现: Local Account, 输入工具传输, 进程发现, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0039	Net	^[1]	创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0104	netstat	^[1]	系统网络连接发现
S0103	route	^[1]	系统网络配置发现
S0096	Systeminfo	^[1]	系统信息发现

References

Symantec Security Response Attack Investigation Team. (2018, April 23). Orangeworm: Indicators of Compromise. Retrieved July 8, 2018.

Orangeworm

Enterprise Layer

Techniques Used

Software

References