By - ForeScout says Silver Fox crime group is targeting hospital patients
- The group uses spoofed medical software to install malware
- Credentials, sensitive data, and crypto are then stolen
A Chinese hacking group has been spotted spoofing legitimate medical software to infect patient computers with malware.
The attacks have been attributed by Forescout to a group tracked as Silver Fox, Void Arachne, and The Great Thief of Valley, and use legitimate medical software such as Philips DICOM medical image viewer to deploy the ValleyRAT remote access tool.
ValleyRAT is then used as a backdoor to deploy infostealing malware that targets sensitive data, credentials, and cryptocurrency.
Expanding horizons
As a China-based group, Silver Fox has typically targeted Chinese speakers in previous attacks, but Forescout notes that malware samples they have collected show “filenames mimicking healthcare applications, English-language executables, and file submissions from the United States and Canada, suggest[ing] that the group may be expanding its targeting to new regions and sectors.”
How Silver Fox gets their malware onto the victims devices has not yet been determined, but Forescout notes that previous attacks have seen the group use phishing and SEO poisoning techniques to ship their malware.
Once installed, the malware will establish a connection with the attackers command and control (C2) server using ping.exe, find.exe, cmd.exe, and ipconfig.exe. The malware will also run PowerShell commands to hide its communications paths from Windows Defender scans.
The malware will then retrieve additional payloads from the C2 server, such as a security tool sniffing malware that will search the system for antivirus and endpoint protection software that could detect it, and disables them where possible. ValleyRAT is then deployed, stealing information and extracting it to the C2 server.
Forescout also notes that while not directly targeting a hospital, but rather the victim’s device, the malware still poses a significant risk for patients who take infected devices into medical facilities, where the malware could spread through unsecured networks and into hospital systems.
Via TheRegister
