China-Based Threat Group Targets Healthcare with Malicious DICOM Installers
Ransomware groups are targeting healthcare organizations for financial gain, infiltrating networks, stealing data, then using ransomware to encrypt files. Cyber threat actors are also infiltrating healthcare networks and stealing data in much quieter attacks, where compromised healthcare organizations are not extorted and hackers remain in their networks indefinitely. Researchers at the cybersecurity firm Forescout have identified a new China-based threat group that is engaged in these quiet attacks, with one campaign involving weaponized installers for DICOM viewers. The installers are used to deliver a remote access trojan to create a backdoor and gain control of victims’ computers.
Silver Fox (aka Void Arachne, The Great Thief of the Valley) is a relatively new threat group first identified in June 2024. Initially, the group was focused on Chinese victims, deploying ValleyRAT malware via SEO poisoning, social media, and text message-based attacks, often under the guise of VPN software and AI applications. The group has been highly active since it emerged and its tactics have been evolving. The group is now attacking a much broader range of targets, including firms in finance, sales, management, and accounting with the primary goal of stealing data. The group is not known to engage in extortion.
Silver Fox is based in China, although it is unclear if it is a state-sponsored hacking group or a financially motivated threat actor. Forescout suggests that Silver Fox could be an Advanced Persistent Threat Group masquerading as a financially motivated threat group, as its targets have now shifted to government entities and cybersecurity companies. In one of the group’s latest campaigns, healthcare providers and patients appear to be targeted. The group has been observed mimicking healthcare applications such as installers for Philips DICOM viewers. Forescout notes that this campaign impersonates these DICOM viewers and no evidence has been found to suggest the group has hacked any Philips medical devices to distribute malicious versions of the installers.
The Forescout researchers identified a cluster of 29 malware samples hidden in installers that masquerade as Philips DICOM viewers, with the campaign active since at least December 2024. While the group has disguised malware as DICOM viewers, ValleyRAT malware has also been disguised as the Windows text editor EmEditor, systems drivers, and utilities, suggesting healthcare is not the only target. The group could simply be trying to distribute its malware as far and wide as possible. Forescout was unable to identify how users were directed to these installers, although Silver Fox has previously used SEO poisoning, phishing, and gaming applications to distribute its malware
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The campaign delivers a first-stage loader, allowing other malicious payloads to be delivered from an Alibaba cloud bucket. The second-stage payloads can kill antivirus processes and pave the way for the third-stage payload, ValleyRAT, a remote access Trojan and backdoor with a loader module that delivers a keylogger and cryptocurrency miner.
“While these DICOM viewers likely target patients rather than hospitals directly, as patients often use these applications to view their own medical images, the risk to HDOs remains significant,” explained Forescout. “In scenarios where patients bring infected devices into hospitals for diagnosis, or emerging scenarios, such as hospital-at-home programs, which rely on patient-owned technology, these infections could spread beyond individual patient devices, allowing threat actors to potentially gain an initial foothold within healthcare networks.”
The researchers recommend only downloading software from verified legitimate sources, implementing strict network segmentation, ensuring all devices are protected with endpoint security solutions, monitoring network traffic and endpoint telemetry, and investigating any suspicious activity. Indicators of Compromise and other recommended mitigations are detailed in the Forescout report.
