Orangeworm

Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.^[1]

ID: G0071

Contributors: Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT Centre

Version: 1.1

Created: 17 October 2018

Last Modified: 26 October 2021

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Orangeworm has used HTTP for C2.^[2]
Enterprise	T1021	.002	Remote Services: SMB/Windows Admin Shares	Orangeworm has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS.^[1]

Software

ID	Name	References	Techniques
S0099	Arp	^[1]	Remote System Discovery, System Network Configuration Discovery
S0106	cmd	^[1]	Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Lateral Tool Transfer, System Information Discovery
S0100	ipconfig	^[1]	System Network Configuration Discovery
S0236	Kwampirs	^[1]	Account Discovery: Local Account, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Fallback Channels, File and Directory Discovery, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Network Share Discovery, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Service Discovery
S0039	Net	^[1]	Account Discovery: Domain Account, Account Discovery: Local Account, Create Account: Domain Account, Create Account: Local Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0104	netstat	^[1]	System Network Connections Discovery
S0103	route	^[1]	System Network Configuration Discovery
S0096	Systeminfo	^[1]	System Information Discovery

References

Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.

Symantec Security Response Attack Investigation Team. (2018, April 23). Orangeworm: Indicators of Compromise. Retrieved July 8, 2018.

Orangeworm

Enterprise Layer

Techniques Used

Software

References