Researchers Find New Evidence Linking Kwampirs Malware to Shamoon APT Hackers

New findings released last week showcase the overlapping source code and techniques between the operators of Shamoon and Kwampirs, indicating that they “are the same group or really close collaborators.”

“Research evidence shows the identification of co-evolution between both Shamoon and Kwampirs malware families during the known timeline,” Pablo Rincón Crespo of Cylera Labs said.

“If Kwampirs is based on the original Shamoon, and Shamoon 2 and 3 campaign code is based on Kwampirs, […] then the authors of Kwampirs would be potentially the same as the authors of Shamoon, or must have a very strong relationship, as has been seen over the course of many years,” Rincón Crespo added.

Shamoon, also known as DistTrack, functions as an information-stealing malware that also incorporates a destructive component that allows it to overwrite the Master Boot Record (MBR) with arbitrary data so as to render the infected machine inoperable.

The malware, developed by the eponymous hacking crew also tracked as Magic Hound, Timberworm, COBALT GIPSY, was first documented by Broadcom-owned Symantec in August 2012. At least two updated versions of Shamoon have since emerged, Shamoon 2 in 2016 and Shamoon 3 in 2018.

In July 2021, the U.S. government attributed Shamoon as the handiwork of Iranian state-sponsored actors, linking it to cyber offensives targeting industrial control systems.

On the other hand, attack activity involving the Kwampirs backdoor has been connected to a threat group known as Orangeworm, with Symantec disclosing an intrusion campaign aimed at entities in the healthcare sector in the U.S., Europe, and Asia. Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *