Paul Scott

Paul Scott
on April 1, 2020

Threat Report Wednesday April 1st 2020

Threat Report

This week we’re covering:

  • Another round of COVID-19 miscreants targeting healthcare organizations and using the pandemic as a lure
  • A de-evolution in FIN7 tactics that move from phishing e-mails to phishing snail-mails
  • Details on a critical vulnerability in a popular WordPress plugin that allows site hijacking
  • Sodin Holding NEDA Ransom

FBI report on Orangeworm RAT Kwampirs targeting healthcare

On March 30, 2020, the FBI released new information on a Kwampirs Remote Access Trojan (RAT) campaign by Orangeworm (aka Gorgon Group) targeting healthcare.

The Kwampirs campaign against global healthcare entities has been effective, gaining broad and sustained access to targeted entities. Targeted entities range from major transnational healthcare companies to local hospital organizations.

Over the course of this campaign, the Kwampirs RAT performed daily command and control communications with malicious IP addresses and domains that were hard-coded in the Kwampirs RAT malware.

The FBI assessment: Kwampirs actors gained access to a large number of global hospitals through the vendor software supply chain and hardware products. Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals.

Significant intrusion vectors include:

  • During mergers and acquisition(s), infections from one company moved laterally into the acquiring company once the networks were connected.
  • During the software co-development process, malware has been passed between multiple entities through shared resources.
  • During the software co-development process, shared internet facing resources have infected co-development participants.
  • Software supply chain vendors infected device(s) installed on the customer/corporate LAN or customer/corporate cloud infrastructure.

According to FBI’s FLASH report, the campaign has two phases. Phase one establishes persistence on the targeted network, including execution of secondary payloads. Phase two delivers additional Kwampirs components used to exploit other hosts and move laterally.

Kwampirs has been active since 2016, targeting industries such as healthcare, software supply chains, energy, and engineering across the U.S., Europe, Asia, and the Middle East.

The FBI’s FLASH message CP-000111-MW included the following indicators:

Kwampirs RAT Created Service

Service name: WmiApSrvEx
Service display name: WMI Performance Adapter Extension
Registry key: SYSTEM\CurrentControlSet\Services
Service image path: %SystemRoot%\system32\**Executable

Kwampirs RAT Executable Files found in c:\windows\system32\;


Kwampirs RAT DLL files dropped to disk files identified in c:\windows\syswow64\ ;


Files identified in c:\windows\system32\;


Other files created by the Kwampirs RAT Found in %SystemRoot%/inf/;


Zeus Sphinx joins the Corona Virus Malspam party

On March 30, 2020, researchers at IBM X-Force identified a new wave of attacks using “Zeus Sphinx,” taking advantage COVID-19 relief efforts. Zeus Sphinx (aka Zloader, Terdot) initially emerged as a commercial banking Trojan targeting major financial entities in the UK in 2015. The malware’s main function is to collect online account credentials from banks and a wide range of other websites.

The attack initially starts through a malicious document file that takes advantage of the Coronavirus (COVID-19) pandemic to spread the malware. Once the victim opens the malicious attachment and enables macros, the script will start its deployment and use a hijacked Windows process that will execute a malware downloader.

The malware downloader communicates with a command-and-control server to load the Zeus Sphinx variant. To maintain persistence, Sphinx writes numerous folders and files to disk and adds Registry keys to hide itself and manage its configuration file.

The following indicators of compromise were released with IBM X-Force findings.



IP Addresses




FIN7 uses Snail-mail to deliver weaponized USB drives

On March 29, 2020, researchers at Trustwave identified a new wave of attacks carried out by the Advanced Persistent Threat (APT) dubbed “FIN7.” In these attacks, the group mailed malicious USB devices to employees of targeted companies working in Human Resources (HR), Information Technology (IT), and/or Executive Management (EM) roles with the end goal of launching an attack and infecting unsuspecting users’ computers.

The attack starts with threat actors mailing malicious USB devices to victims, pretending to be Best Buy sending $50 gift cards to loyal customers. The USBs are programmed to function as USB keyboards. Upon connecting the device to a computer, the USB device starts harvesting the system information and will send the compromised data to the attackers’ command-and-control (C2) server.

PowerShell commands run that display fake message box warning errors, such as “USB Device Not Recognized - The last USB device you connected to this computer malfunctioned, and Windows does not recognize it.” The PowerShell scripts will then run a third-stage JavaScript backdoor, tracked as “GRIFFON,” that gathers system information using seven MITRE ATT&CK techniques. After gathering system information, FIN7 starts seeking administrative privileges to move laterally on the compromised network.

PCs trust USB keyboards by default, rendering these physical attacks less defensible via conventional antivirus measures. FIN7 has predominantly been associated with phishing as an attack vector, with extensive spear phishing campaigns observed throughout 2018 and into 2019, with the earliest attributable activity observed in 2015.

Critical WordPress Plugin Bug allows attackers to gain admin privileges

On March 31, 2020, WordPress disclosed a critical privilege escalation vulnerability which exists in Rank Math, a WordPress SEO plugin designed to help website owners to attract more traffic to their sites through Search Engine Optimization (SEO). The vulnerability can allow attackers to give administrator privileges to any registered user on the site. In addition, compromised sites can also allow attackers to revoke the admin rights of the site owners.

WordPress also disclosed a second vulnerability which exists in Rank Math’s optional plugin modules that helps users to create redirects on their WordPress sites. The vulnerability allows unauthenticated attackers to create redirects from any location on the site. If Rank Math is a plugin you use it should be upgraded to the latest version that contains fixes for the security flaws.

Sodin holding NEDA Ransom

It has come to our attention that the National Eating Disorder Association is being held ransom by Sodinokibi (aka Sodin, REvil) Ransomware. In addition to ransoming NEDA’s files, Sodin is threatening to publish sensitive data on the organization. This information includes financial details, credit card information, employee PII (email, phone number, address, SSN), IRS audit info, military eating disorder research, and more.

Recently, Sodin has taken to ensuring ransom payout by extorting victims as well as ransoming their encrypted files. This extortion plays out in a few different ways: naming and shaming, data auctioning, data publishing, and reporting to financial sector or media.

All of these tactics are used to encourage the ransomware victim to pay the ransom promptly even if they have the backups to recover.

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to

Next: Threat Report Thursday March 26th 2020

Share this on:

Paul Scott

Paul Scott
on April 1, 2020

Perchy Subscribe to our blog