• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
researchers find new evidence linking kwampirs malware to shamoon apt

Researchers Find New Evidence Linking Kwampirs Malware to Shamoon APT Hackers

You are here: Home / General Cyber Security News / Researchers Find New Evidence Linking Kwampirs Malware to Shamoon APT Hackers
March 14, 2022

New conclusions launched last 7 days showcase the overlapping resource code and tactics in between the operators of Shamoon and Kwampirs, indicating that they “are the very same group or definitely near collaborators.”

“Analysis evidence displays identification of co-evolution between the two Shamoon and Kwampirs malware households all through the recognised timeline,” Pablo Rincón Crespo of Cylera Labs claimed.

“If Kwampirs is based mostly on the first Shamoon, and Shamoon 2 and 3 marketing campaign code is based on Kwampirs, […] then the authors of Kwampirs would be possibly the similar as the authors of Shamoon, or should have a extremely strong romance, as has been observed in excess of the study course of many many years,” Rincón Crespo included.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


Shamoon, also identified as DistTrack, functions as an data-stealing malware that also incorporates a harmful ingredient that permits it to overwrite the Learn Boot Record (MBR) with arbitrary knowledge so as to render the contaminated machine inoperable.

Automatic GitHub Backups

The malware, created by the eponymous hacking crew also tracked as Magic Hound, Timberworm, COBALT GIPSY, was very first documented by Broadcom-owned Symantec in August 2012. At the very least two up to date variations of Shamoon have given that emerged, Shamoon 2 in 2016 and Shamoon 3 in 2018.

In July 2021, the U.S. federal government attributed Shamoon as the handiwork of Iranian state-sponsored actors, linking it to cyber offensives targeting industrial control units.

On the other hand, attack exercise involving the Kwampirs backdoor has been linked to a menace group acknowledged as Orangeworm, with Symantec disclosing an intrusion campaign aimed at entities in the healthcare sector in the U.S., Europe, and Asia.

Shamoon APT Hackers“Kwampirs New Marketing campaign Developing Course of action” stated by Cylera

“First discovered in January 2015, Orangeworm has also conducted targeted attacks against businesses in relevant industries as part of a greater supply-chain attack in order to access their meant victims,” Symantec stated in an analysis in April 2018.

Cylera Labs’ uncovering of the connection stems from malware artifacts and beforehand unnoticed parts, just one of which is explained to be an intermediary “stepping stone” edition. It can be a Shamoon dropper but sans the wiper feature, even though concurrently reusing the same loader code as Kwampirs.

Prevent Data Breaches

What’s a lot more, code-level similarities have been uncovered concerning Kwampirs and subsequent versions of Shamoon. This includes the features to retrieve technique metadata, fetch MAC tackle, and the victim’s keyboard structure information as very well as the use of the exact same InternetOpenW Windows API to craft HTTP requests to the command-and-control (C2) server.

Shamoon APT Hackers“Shamoon 2 New Campaign Making Procedure” discussed by Cylera

Also put to use is a frequent template technique to develop the reporter module that residences capabilities to add host facts and obtain more payloads to execute from their C2 servers, a attribute that was lacking in the very first variation of Shamoon.

In connecting the disparate dots, the investigation has led to the evaluation that Kwampirs is probable dependent on Shamoon 1 and that Shamoon 2 inherited some of its code from Kwampirs, implying that the operators of the two the malware are different sub-teams of a bigger umbrella teams or that it is the work of a single actor.

Shamoon APT Hackers

These types of a declare just isn’t without the need of precedence. Just last 7 days, Cisco Talos detailed the TTPs of another Iranian actor termed MuddyWater, noting that the nation-state actor is a “conglomerate” of multiple groups working independently fairly than a solitary danger actor team.

“These conclusions, if in fact correct, would recast Kwampirs as a massive-scale, multi-calendar year attack on world-wide healthcare supply chains done by a international point out actor,” the researchers concluded.

“The knowledge gathered and programs accessed in these campaigns have a wide selection of probable usage, which includes theft of intellectual home, accumulating of clinical documents of targets like dissidents or armed service leaders, or reconnaissance to aid in the preparing of potential damaging attacks.”

Located this article interesting? Follow THN on Fb, Twitter  and LinkedIn to examine far more distinctive material we article.


Some pieces of this article are sourced from:
thehackernews.com

Previous Post: «Cyber Security News Avast Suspends Operations in Russia and Belarus
Next Post: FCA: Crypto ATMs Are Illegal in the UK Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • WhatsApp Unveils Proxy Support to Tackle Internet Censorship
  • Hackers Using CAPTCHA Bypass Tactics in Freejacking Campaign on GitHub
  • Blind Eagle Hacking Group Targets South America With New Tools
  • US Family Planning Non-Profit MFHS Confirms Ransomware Attack
  • Microsoft Reveals Tactics Used by 4 Ransomware Families Targeting macOS
  • Dridex Malware Now Attacking macOS Systems with Novel Infection Method
  • Cyber attacks on UK organisations surged 77% in 2022, new research finds
  • WhatsApp to combat internet blackouts with proxy server support
  • The IT Pro Podcast: Going passwordless
  • Podcast transcript: Going passwordless

Copyright © TheCyberSecurity.News, All Rights Reserved.