Cylera Labs’ Pablo Rincón Crespo reported that ,” Research evidence indicates identification of co-evolution between both Shamoon and Kwampirs malware families during the known timeline. The operators of Shamoon and Kwampirs have overlapping source code and techniques, indicating that they are the same group or really close collaborators.
Symantec said in an April 2018 analysis, Orangeworm, first identified in January 2015, has also conducted targeted attacks against organisations in related industries as part of a larger supply-chain attack in order to reach their intended victims.
The connection was discovered by Cylera Labs thanks to malware artefacts and previously unnoticed components, one of which is said to be an intermediary “stepping stone” version. It’s a Shamoon dropper without the wiper feature, but it uses the same loader code as Kwampirs.
The malware, created by the hacking group and also known as Magic Hound, Timberworm and COBALT GIPSY, was first discovered in August 2012 by Broadcom-owned Symantec. Shamoon has since received at least two updates, Shamoon 2 in 2016 and Shamoon 3 in 2018.
The US government identified Shamoon as the work of Iranian state-sponsored actors in July 2021, linking it to cyber offensives targeting industrial control systems.
A common template system is also used to create the reporter module, which includes the ability to upload host information and download additional payloads to execute from their C2 servers, which was missing in the first version of Shamoon.
The investigation has led to the conclusion that Kwampirs is likely based on Shamoon 1 and that Shamoon 2 inherited some of Kwampirs’ code, implying that the operators of both malware are different sub-groups of a larger umbrella group or that it is the work of a single actor.
Cisco Talos detailed the TTPs of another Iranian actor called MuddyWater just last week, noting that the nation-state actor is a “conglomerate” of multiple teams operating independently rather than a single threat actor group.
Finally the researchers concluded that ,” Kwampirs will be recast as a large-scale, multi-year attack on global healthcare supply chains carried out by a foreign state actor. The data gathered and systems accessed in these campaigns have a wide range of potential applications, including intellectual property theft, gathering medical records of targets such as dissidents or military leaders, or reconnaissance to aid in the planning of future destructive attacks.”