2018-04-23 New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia

📃Title: New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia
📅Date: 2018-04-23
🔗References:

• https://www.security.com/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia
• https://www.security.com/sites/default/files/2018-04/Orangeworm%20IOCs.pdf

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: TA-profile
• target: targeted
• MY-relevancy: relevant

🔖MISP Galaxies:

• producer= Symantec
• sector=“Health”
• sector=“IT”
• sector=“Logistic”
• sector=“Manufacturing”
• target-information=“Germany”
• target-information=“Hong Kong”
• target-information=“Hungary”
• target-information=“India”
• target-information=“Malaysia”
• target-information=“Philippines”
• target-information=“Poland”
• target-information=“Saudi Arabia”
• target-information=“Sweden”
• target-information=“United Kingdom”
• target-information=“United States”
• threat-actor= Orangeworm
• mitre-attack-pattern=[]

MISP event uuid: 5947a5a4-9c86-45e8-9756-25fa38c54ff3

Indicator of Compromise (IoCs)

type,value,comment
md5, 0240ed7e45567f606793dafaff024acf, 'Dropper'
md5, cb9954509dc82e6bbed2aee202d88415, 'Dropper'
md5, fac94bc2dcfbef7c3b248927cb5abf6d, 'Dropper'
md5, 6277e675d335fd69a3ff13a465f6b0a8, 'Dropper'
md5, 3b3a1062689ffa191e58d5507d39939d, 'Dropper'
md5, 7e5f76c7b5bf606b0fdc17f4ba75de03, 'Dropper'
md5, 5c3499acfe0ad7563b367fbf7fb2928c, 'Payload DLL'
md5, 939e76888bdeb628405e1b8be963273c, 'Payload DLL'
md5, 290d8e8524e57783e8cc1b9a3445dfe9, 'Payload DLL'
md5, 047f70dbac6cd9a4d07abef606d89fb7, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, 2ae53de1a1f65a6d57e96dab26c73cda, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, 47345640c135bd00d9f2969fabb4c9fa, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, b680b119643876286030c4f6134dc4e3, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, 856683aee9687f6fdf00cfd4dc4c2aef, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, 847459c8379250d8be2b2d365be877f5, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, 3bedc1c4c1023c141c2f977e846c476e, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, ce3894ee6f3c2c2c828148f7f779aafe, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, 177bece20ba6cc644134709a391c4a98, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, b59e4942f7c68c584a35d59e32adce3a, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, 81e61e5f44a6a476983e7a90bdac6a55, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, ec968325394f3e6821bf90fda321e09b, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, 01cf05a07af57a7aafd0ad225a6fd300, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, d57df638c7befd7897c9013e90b678f0, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, 4b91ec8f5d4a008dd1da723748a633b6, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, 134846465b8c3f136ace0f2a6f15e534, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, 9d2cb9d8e73fd879660d9390ba7de263, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, de9b01a725d4f19da1c1470cf7a948ee, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, bb939a868021db963916cc0118aab8ee, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, 3289c9a1b534a19925a14a8f7c39187c, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, 9d3839b39d699336993df1dd4501892b, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, fece72bd41cb0e06e05a847838fbde56, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, bbd9e4204514c66c1babda178c01c213, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, ee4206cf4227661d3e7ec846f0d69a43, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
ip-dst, 65.116.107.24, 'C2'
url, http://65.116.107.24/login/login.php?q, 'C2'
ip-dst, 13.44.61.126, 'C2'
url, http://13.44.61.126/main/indexmain.php?q, 'C2'
ip-dst, 56.28.111.63, 'C2'
url, http://56.28.111.63/group/group/defaultmain.php?q, 'C2'
ip-dst, 118.71.138.69, 'C2'
url, http://118.71.138.69/new/main/default.php?q, 'C2'
ip-dst, 117.32.65.101, 'C2'
url, http://117.32.65.101/users/login.php?q, 'C2'
ip-dst, 18.25.62.70, 'C2'
url, http://18.25.62.70/groupgroup/default.php?q, 'C2'
ip-dst, 92.137.43.17, 'C2'
url, http://92.137.43.17/group/group/home/login/home.php?q, 'C2'
ip-dst, 33.25.72.21, 'C2'
url, http://33.25.72.21/group/main.asp?q, 'C2'
ip-dst, 16.48.37.37, 'C2'
url, http://16.48.37.37/groupusers/default.php?q, 'C2'
ip-dst, 91.29.51.11, 'C2'
url, http://91.29.51.11/default/main.php?q, 'C2'

Full IOCs available in Rectifyq’s MISP