#ThreatThursday - Orangeworm

This week on #ThreatThursday we cover the latest release of MITRE ATT&CK (with sub-techniques), announce a healthcare partnership, and look at a threat actor that has been targeting the healthcare sector for years: Orangeworm. As usual, we consume Cyber Threat Intelligence, create a threat profile and adversary emulation plan, and discuss how to defend against Orangeworm. We hope you enjoy it!


On July 8, 2020, MITRE announced the latest update to ATT&CK. This update brings some fundamental changes to how techniques are covered by introducing sub-techniques. ATT&CK (stands for an acronym for Adversary Tactics, Techniques, and Common Knowledge) enables. It allows the Cyber Threat Intelligence team, Red Team, and Blue Team to all speak the same language. Our If you are familiar with #ThreatThursday you are aware these blog posts focus, in part, on cover those three key players to enable collaboration and improveving security through via the SCYTHE platform. 

We use ATT&CK to discuss adversary tactics, techniques, and procedures. The ATT&CK matrix covers the tactics and techniques while showcasing some procedures when you drill down on each technique. The introduction of sub-techniques adds another layer to better illustrate a specific adversary action. At the highest level, a sub-techniques is a more specific technique.

Cyber Alliance to Defend our Healthcare

At SCYTHE, it is embedded in our culture to share and build our communities and we are happy to announce a partnership with C5 Capital to support our healthcare community. We are seeing an unprecedented number of attacks on our healthcare systems, healthcare providers, and laboratories from malicious cyber actors wanting to cause maximum damage to systems and services most in need during the pandemic. C5 Capital has formed an alliance of cyber professionals who will C.A.R.E. for the cyber defence of our healthcare systems and providers so they can protect us.

As we announce this alliance, we also want to take a look and provide resources for the healthcare industry to understand the threats they face. We will do this in #ThreatThursday style: consume cyber threat intelligence, emulate the adversary, and discuss techniques to defend against them. For these reasons, we will cover our first healthcare threat actor: Orangeworm.

Cyber Threat Intelligence

If you read #ThreatThursday on APT19 or APT33 you saw how to leverage MITRE ATT&CK for Cyber Threat Intelligence and map it with ATT&CK Navigator. Orangeworm is documented on the MITRE ATT&CK site but only lists 2 sub-techniques. It links to various software that we will be able to emulate but we may also need to extract TTPs from Cyber Threat Intelligence like we did with Buhtrap. We always recommend reading through the CTI as you may get details about the procedures used by the threat actor. Here are a few reports on Orangeworm, in particular we want to know more about Kwampirs which is the malware they used.

Leveraging the new ATT&CK Navigator, we select Orangeworm with the selector tool but do not see any changes. This is because there are only 2 technique IDs tagged to Orangeworm and they are both sub-techniques as shown in Figure 1. Navigator does not show them because they are sub-techniques; we need to expand the technique in Navigator to see them or click on the ATT&CK Navigator Layers button and select view. It will take you to this page.

Figure 1: Techniques Used by Orangeworm

Let’s look a little deeper at the software leveraged by Orangworm, as shown in Figure 2. We should see one that sticks out and that is only used by Orangeworm: Kwampirs. According to MITRE ATT&CK, Kwampirs is a backdoor Trojan used by Orangeworm. It has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. This particular malware is mapped to multiple techniques allowing us to create a more detailed emulation plan.

Figure 2: Software Used by Orangeworm

In ATT&CK Navigator, use the select tool to choose all the techniques that map to the software used by Orangeworm. Expanding the techniques that have sub-techniques and our Navigator layer should look like Figure 3. You can access the Orangeworm Navigator Layer from the SCYTHE Github dynamically with this URL: https://mitre-attack.github.io/attack-navigator/enterprise/#layerURL=https://raw.githubusercontent.com/scythe-io/community-threats/master/Orangeworm/orangeworm_layer.json

Figure 3: Orangworm TTPs on Navigator

Orangeworm Threat Profile

Reading through the CTI sources provided (feel free to read other sources) and Navigator, we can extract the TTPs and create a Threat Profile for Orangeworm:





Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015. 


Corporate espionage

Command and Control

T1071 - Application Layer Protocol

T1071.001 - Web Protocols

T1008 - Fallback Channel


T1218 - Signed Binary Proxy Execution

T1218.011 - Rundll32

T1059 - Command and Scripting Interpreter

T1059.003 - Windows Command Shell

T1569 - System Services

T1569.002 - Service Execution

Defense Evasion

T1036 - Masquerading

T1036.004 - Masquerade Task or Service

T1027 - Obfuscated Files or Information

T1027.001 - Binary Padding

T1070 - Indicator Removal on Host

T1070.004 - File Deletion

T1070.005 - Network Share Connection Removal

T1140 - Deobfuscate/Decode Files or Information


T1087 - Account Discovery

T1087.001 - Local Account

T1087.002 - Domain Account

T1201 - Password Policy Discovery

T1069 - Permission Groups Discovery

T1069.002 - Domain Groups

T1069.001 - Local Groups

T1057 - Process Discovery

T1018 - Remote System Discovery

T1082 - System Information Discovery

T1016 - System Network Configuration Discovery

T1049 - System Network Connections Discovery

T1033 - System Owner/User Discovery

T1007 - System Service Discovery

T1083 - File and Directory Discovery

T1124 - System Time Discovery

T1135 - Network Share Discovery


T1136 - Create Account

T1136.001 - Local Account

T1136.002 - Domain Account

T1543 - Create or Modify System Process

T1543.003 - Windows Service

Lateral Movement

T1021 - Remote Services

T1021.002 - SMB/Windows Admin Shares

T1105 - Ingress Tool Transfer

T1570 - Lateral Tool Transfer

Adversary Emulation Plan

Orangeworm performs a significant amount of Discovery by leveraging built in tools such as arp, cmd, ipconfig, net, netstat, route, and systeminfo. We will do the same with our adversary emulation plan, conscience that most of these tools will run without being blocked. In the industry, we call leveraging built in tools: “Living off the Land”. 

Head over to our Community Threat Github and download the Orangeworm adversary emulation plan. Import it to SCYTHE and begin testing.

For this threat, we are going to execute the dropper leveraging the RunDLL sub-technique (T1218.011 - Rundll32) under technique T1218 - Signed Binary Proxy Execution. To do this:

  • Download the 32-bit DLL from your SCYTHE campaign onto the target system; make sure to save as a .dll (we will use ServiceLogin.dll as the example)
  • Open a Command Prompt
  • Change directory to where the DLL was downloaded
  • Execute with: rundll32.exe ServiceLogin.dll,PlatformClientMain

Please note, this was designed to run on a domain joined machine. If the target is not joined to the domain, some procedures may fail.


Orangeworm achieves persistence through creating a new account and creating a new service that executes the malware on reboot. Both of these can be accomplished with SCYTHE. It is not recommended to add this to your automated steps as it will try to persist when it is already persistent.

To create a new user and add to the local administrator group:

  • run cmd /c net user Kwampirs SecurePass123 /add
  • run cmd /c net localgroup administrators Kwampirs /add

To persist through a service:

  • loader --load persist 
  • persist --hostname TARGETSERVER01 --name SCYTHEC --display SCYTHEC --description SCYTHE Client --path \\TARGETSERVER01\c$\windows\temp\scythe.exe

Defend against Orangeworm

Orangeworm leverages many built in tools, often called “Living off the Land”. These built in tools like arp, cmd, ipconfig, net, netstat, route, and systeminfo are very difficult to prevent (as they come with the operating system). Detecting these built in tools executed in an attack chain is useful for alerting when an adversary may be operating in your environment. We recommend looking into sysmon to be able to do this without having to purchase more technology. 

We collaborated with our friends at Active Countermeasures and provided the Orangeworm synthetic malware, created with SCYTHE, for them to do their weekly, Malware of the Day. We simply provided the executable created from this adversary emulation plan and they ran it on a system for a week. Head over to their blog post to learn how to detect Orangeworm on the network.

Clean up

Make sure to clean up when complete, open a privileged cmd.exe 

  • sc delete SCYTHEC
  • del C:\Windows\temp\scythe.exe
  • net localgroup administrators Kwampirs /del
  • net user Kwampirs /del


This #ThreatThursday we covered the latest version of MITRE ATT&CK (with sub-techniques) and announced our participation in the C5-Health Alliance to collaborate with the healthcare sector. If you are interested in leveraging SCYTHE please fill out this form: https://www.scythe.io/healthcare

Given our collaboration, we featured a threat actor that has been targeting the health sector for the past 5 years. This actor uses built in windows tools so anyone can emulate these manually. SCYTHE allows for automated and consistent emulation so you can focus on tuning detective controls. Stay tuned for next week as we will have someone from the healthcare sector on #ThreatThursday.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.


SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.

Latest Posts

Threat Thursday: February
February 22,2024
Threat Thursday: January
January 18,2024