Kwampirs Malware Employed in Ongoing Cyber Supply Chain Campaign Targeting Global Industries, including Healthcare Sector
The summary from Private Industry Notification #20200330 by the FBI, issued March 30:
Since at least 2016, the FBI has observed an Advanced Persistent Threat (APT) actor conduct a global network exploitation campaign using the Kwampirs Remote Access Trojan (RAT) and is providing additional, non-technical information in an effort to highlight key objectives of the actor campaign. This information, along with previously released FBI Liaison Alert System (FLASH) messages, is intended to enhance the network defense posture of public and private partners.
The Kwampirs RAT is a modular RAT worm that gains system access to victim machines and networks, with the primary purpose of gaining broad, yet targeted, access to victim companies to enable follow-on computer network exploitation (CNE) activities. Through victimology and forensic analysis, the FBI found heavily targeted industries include healthcare, software supply chain, energy, and engineering across the United States, Europe, Asia, and the Middle East.
Secondary targeted industries include financial institutions and prominent law firms.
The FBI has not seen the Kwampirs RAT incorporating a wiper or destructive module components; however, through comparative forensic analysis, several code-based similarities exist with the data destruction malware Disttrack (commonly known as Shamoon).
You can access the full PIN on SANS.
Not surprisingly to me, after I drafted this post, I saw that Catalin Cimpanu has already covered it and added additional links to his coverage. See his report on ZDNet.