This week on #ThreatThursday we cover the latest release of MITRE ATT&CK (with sub-techniques), announce a healthcare partnership, and look at a threat actor that has been targeting the healthcare sector for years: Orangeworm. As usual, we consume Cyber Threat Intelligence, create a threat profile and adversary emulation plan, and discuss how to defend against Orangeworm. We hope you enjoy it!

    MITRE ATT&CK Update

    On July 8, 2020, MITRE announced the latest update to ATT&CK. This update brings some fundamental changes to how techniques are covered by introducing sub-techniques. ATT&CK (stands for an acronym for Adversary Tactics, Techniques, and Common Knowledge) enables. It allows the Cyber Threat Intelligence team, Red Team, and Blue Team to all speak the same language. Our If you are familiar with #ThreatThursday you are aware these blog posts focus, in part, on cover those three key players to enable collaboration and improveving security through via the SCYTHE platform. 

    We use ATT&CK to discuss adversary tactics, techniques, and procedures. The ATT&CK matrix covers the tactics and techniques while showcasing some procedures when you drill down on each technique. The introduction of sub-techniques adds another layer to better illustrate a specific adversary action. At the highest level, a sub-techniques is a more specific technique.

    Cyber Alliance to Defend our Healthcare

    At SCYTHE, it is embedded in our culture to share and build our communities and we are happy to announce a partnership with C5 Capital to support our healthcare community. We are seeing an unprecedented number of attacks on our healthcare systems, healthcare providers, and laboratories from malicious cyber actors wanting to cause maximum damage to systems and services most in need during the pandemic. C5 Capital has formed an alliance of cyber professionals who will C.A.R.E. for the cyber defence of our healthcare systems and providers so they can protect us.‍

    As we announce this alliance, we also want to take a look and provide resources for the healthcare industry to understand the threats they face. We will do this in #ThreatThursday style: consume cyber threat intelligence, emulate the adversary, and discuss techniques to defend against them. For these reasons, we will cover our first healthcare threat actor: Orangeworm.

    Cyber Threat Intelligence

    If you read #ThreatThursday on APT19 or APT33 you saw how to leverage MITRE ATT&CK for Cyber Threat Intelligence and map it with ATT&CK Navigator. Orangeworm is documented on the MITRE ATT&CK site but only lists 2 sub-techniques. It links to various software that we will be able to emulate but we may also need to extract TTPs from Cyber Threat Intelligence like we did with Buhtrap. We always recommend reading through the CTI as you may get details about the procedures used by the threat actor. Here are a few reports on Orangeworm, in particular we want to know more about Kwampirs which is the malware they used.

    Leveraging the new ATT&CK Navigator, we select Orangeworm with the selector tool but do not see any changes. This is because there are only 2 technique IDs tagged to Orangeworm and they are both sub-techniques as shown in Figure 1. Navigator does not show them because they are sub-techniques; we need to expand the technique in Navigator to see them or click on the ATT&CK Navigator Layers button and select view. It will take you to this page.

    Figure 1: Techniques Used by Orangeworm


    Let’s look a little deeper at the software leveraged by Orangworm, as shown in Figure 2. We should see one that sticks out and that is only used by Orangeworm: Kwampirs. According to MITRE ATT&CK, Kwampirs is a backdoor Trojan used by Orangeworm. It has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. This particular malware is mapped to multiple techniques allowing us to create a more detailed emulation plan.

    Figure 2: Software Used by Orangeworm


    In ATT&CK Navigator, use the select tool to choose all the techniques that map to the software used by Orangeworm. Expanding the techniques that have sub-techniques and our Navigator layer should look like Figure 3. You can access the Orangeworm Navigator Layer from the SCYTHE Github dynamically with this URL:

    Figure 3: Orangworm TTPs on Navigator

    Orangeworm Threat Profile

    Reading through the CTI sources provided (feel free to read other sources) and Navigator, we can extract the TTPs and create a Threat Profile for Orangeworm:





    Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015. 


    Corporate espionage

    Command and Control

    T1071 - Application Layer Protocol

    T1071.001 - Web Protocols

    T1008 - Fallback Channel


    T1218 - Signed Binary Proxy Execution

    T1218.011 - Rundll32

    T1059 - Command and Scripting Interpreter

    T1059.003 - Windows Command Shell

    T1569 - System Services

    T1569.002 - Service Execution

    Defense Evasion

    T1036 - Masquerading

    T1036.004 - Masquerade Task or Service

    T1027 - Obfuscated Files or Information

    T1027.001 - Binary Padding

    T1070 - Indicator Removal on Host

    T1070.004 - File Deletion

    T1070.005 - Network Share Connection Removal

    T1140 - Deobfuscate/Decode Files or Information


    T1087 - Account Discovery

    T1087.001 - Local Account

    T1087.002 - Domain Account

    T1201 - Password Policy Discovery

    T1069 - Permission Groups Discovery

    T1069.002 - Domain Groups

    T1069.001 - Local Groups

    T1057 - Process Discovery

    T1018 - Remote System Discovery

    T1082 - System Information Discovery

    T1016 - System Network Configuration Discovery

    T1049 - System Network Connections Discovery

    T1033 - System Owner/User Discovery

    T1007 - System Service Discovery

    T1083 - File and Directory Discovery

    T1124 - System Time Discovery

    T1135 - Network Share Discovery


    T1136 - Create Account

    T1136.001 - Local Account

    T1136.002 - Domain Account

    T1543 - Create or Modify System Process

    T1543.003 - Windows Service

    Lateral Movement

    T1021 - Remote Services

    T1021.002 - SMB/Windows Admin Shares

    T1105 - Ingress Tool Transfer

    T1570 - Lateral Tool Transfer

    Adversary Emulation Plan

    Orangeworm performs a significant amount of Discovery by leveraging built in tools such as arp, cmd, ipconfig, net, netstat, route, and systeminfo. We will do the same with our adversary emulation plan, conscience that most of these tools will run without being blocked. In the industry, we call leveraging built in tools: β€œLiving off the Land”. 

    Head over to our Community Threat Github and download the Orangeworm adversary emulation plan. Import it to SCYTHE and begin testing.

    For this threat, we are going to execute the dropper leveraging the RunDLL sub-technique (T1218.011 - Rundll32) under technique T1218 - Signed Binary Proxy Execution. To do this:

    • Download the 32-bit DLL from your SCYTHE campaign onto the target system; make sure to save as a .dll (we will use ServiceLogin.dll as the example)
    • Open a Command Prompt
    • Change directory to where the DLL was downloaded
    • Execute with: rundll32.exe ServiceLogin.dll,PlatformClientMain

    Please note, this was designed to run on a domain joined machine. If the target is not joined to the domain, some procedures may fail.


    Orangeworm achieves persistence through creating a new account and creating a new service that executes the malware on reboot. Both of these can be accomplished with SCYTHE. It is not recommended to add this to your automated steps as it will try to persist when it is already persistent.

    To create a new user and add to the local administrator group:

    • run cmd /c net user Kwampirs SecurePass123 /add
    • run cmd /c net localgroup administrators Kwampirs /add

    To persist through a service:

    • loader --load persist 
    • persist --hostname TARGETSERVER01 --name SCYTHEC --display SCYTHEC --description SCYTHE Client --path \\TARGETSERVER01\c$\windows\temp\scythe.exe

    Defend against Orangeworm

    Orangeworm leverages many built in tools, often called β€œLiving off the Land”. These built in tools like arp, cmd, ipconfig, net, netstat, route, and systeminfo are very difficult to prevent (as they come with the operating system). Detecting these built in tools executed in an attack chain is useful for alerting when an adversary may be operating in your environment. We recommend looking into sysmon to be able to do this without having to purchase more technology. 

    We collaborated with our friends at Active Countermeasures and provided the Orangeworm synthetic malware, created with SCYTHE, for them to do their weekly, Malware of the Day. We simply provided the executable created from this adversary emulation plan and they ran it on a system for a week. Head over to their blog post to learn how to detect Orangeworm on the network.

    Clean up

    Make sure to clean up when complete, open a privileged cmd.exe 

    • sc delete SCYTHEC
    • del C:\Windows\temp\scythe.exe
    • net localgroup administrators Kwampirs /del
    • net user Kwampirs /del


    This #ThreatThursday we covered the latest version of MITRE ATT&CK (with sub-techniques) and announced our participation in the C5-Health Alliance to collaborate with the healthcare sector. If you are interested in leveraging SCYTHE please fill out this form:

    Given our collaboration, we featured a threat actor that has been targeting the health sector for the past 5 years. This actor uses built in windows tools so anyone can emulate these manually. SCYTHE allows for automated and consistent emulation so you can focus on tuning detective controls. Stay tuned for next week as we will have someone from the healthcare sector on #ThreatThursday.

    This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided β€œas-is” without any warranty or condition of any kind, either express or implied.

    About SCYTHE

    SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email, visit, or follow on Twitter @scythe_io.

    Jorge Orchilles
    Post by Jorge Orchilles
    July 16, 2020