Chinese hacking group hijacks hospital computers by spoofing legitimate medical software

News
By
published

Silver Fox is targeting hospital patients

A doctor holding a tablet showing holograms of a skeleton, DNA, and other medical diagrams.
(Image credit: Shutterstock / raker)
  • ForeScout says Silver Fox crime group is targeting hospital patients
  • The group uses spoofed medical software to install malware
  • Credentials, sensitive data, and crypto are then stolen

A Chinese hacking group has been spotted spoofing legitimate medical software to infect patient computers with malware.

The attacks have been attributed by Forescout to a group tracked as Silver Fox, Void Arachne, and The Great Thief of Valley, and use legitimate medical software such as Philips DICOM medical image viewer to deploy the ValleyRAT remote access tool.

ValleyRAT is then used as a backdoor to deploy infostealing malware that targets sensitive data, credentials, and cryptocurrency.

Expanding horizons

As a China-based group, Silver Fox has typically targeted Chinese speakers in previous attacks, but Forescout notes that malware samples they have collected show “filenames mimicking healthcare applications, English-language executables, and file submissions from the United States and Canada, suggest[ing] that the group may be expanding its targeting to new regions and sectors.”

How Silver Fox gets their malware onto the victims devices has not yet been determined, but Forescout notes that previous attacks have seen the group use phishing and SEO poisoning techniques to ship their malware.

Once installed, the malware will establish a connection with the attackers command and control (C2) server using ping.exe, find.exe, cmd.exe, and ipconfig.exe. The malware will also run PowerShell commands to hide its communications paths from Windows Defender scans.

The malware will then retrieve additional payloads from the C2 server, such as a security tool sniffing malware that will search the system for antivirus and endpoint protection software that could detect it, and disables them where possible. ValleyRAT is then deployed, stealing information and extracting it to the C2 server.

Forescout also notes that while not directly targeting a hospital, but rather the victim’s device, the malware still poses a significant risk for patients who take infected devices into medical facilities, where the malware could spread through unsecured networks and into hospital systems.

Via TheRegister

You might also like

TOPICS
Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
Close up of the Linux penguin.

A new Linux backdoor is hitting US universities and governments
A hand laying out a password

Microsoft fixes concerning issue with its Entra ID authentication tool
Gamakay TK101 on table with pink background and plant

I think the Gamakay TK101 is a capable mechanical keyboard, but my testing found it still lacks the performance and features of the very best
See more latest