The US FBI is providing indicators of compromise (IoC) for the two identified modules of the Kwampirs Remote Access Trojan (RAT). The FBI has identified additional information regarding the Kwampirs RAT, which has targeted several global industries, including the software supply chain, healthcare, energy, and financial sectors. Software supply chain companies are believed to be targeted in order to gain access to the victim’s strategic partners and/or customers, including entities supporting Industrial Control Systems (ICS) for global energy generation, transmission, and distribution. The Kwampirs RAT has been observed by the FBI supporting targeted computer intrusions on these sectors, including supporting additional module execution on the targeted victim network, believed to enable follow-on computer network exploitation operations.
While the Kwampirs RAT has not been observed incorporating a wiper component, comparative forensic analysis has revealed the Kwampirs RAT as having numerous similarities with the data destruction malware Disttrack (commonly known as Shamoon). To assist with identification of the Kwampirs RAT, the FBI is providing five YARA rules, which produce consistent results on open source tools, such as Virus Total and Hybrid Analysis, for the Kwampirs RAT and Shamoon malware.
Link to full report and IoC's: TR-20-038-001_Yara.pdf