Ransomware groups are attacking healthcare companies for financial profit, accessing networks, stealing information, then employing ransomware for file encryption. Cyber threat actors also attack healthcare systems and steal information via silent attacks, where breached healthcare companies aren’t extorted and hackers stay in their systems longer. Cybersecurity company Forescout researchers have discovered a new threat group based in China that is involved in these silent attacks. One of these attacks used weaponized installers for DICOM users. The installers download a remote access trojan to set up a backdoor and control the victims’ computers.
Silver Fox (also known as The Great Thief of the Valley, Void Arachne) is a fairly new threat group initially discovered in June 2024. The group targeted Chinese victims using ValleyRAT malware through social media, SEO poisoning, and SMS-based attacks, frequently hidden via VPN software and AI software. The group was very active since it appeared and its techniques were changing. The group is currently attacking a wider selection of targets, such as companies in finance, management, sales, and accounting and the main objective is stealing information. The group is not found to use extortion.
Silver Fox is China-based, though it is unknown whether it is a financially driven threat actor or state-financed hacking group. Forescout states that Silver Fox might be an Advanced Persistent Threat Group disguised as a financially driven threat group because it now targets government entities and cybersecurity firms. Healthcare companies and patients seem to be targeted in one of the group’s most recent attacks. The group is seen mimicking healthcare programs like Philips DICOM viewer installers. Forescout says this campaign imitates these DICOM viewers and no proof indicates hacking of any Philips medical products to send malicious types of installers.
The Forescout researchers discovered a bunch of 29 malware samples disguised installers as Philips DICOM viewers, and the campaign is live since December 2024. Additionally, ValleyRAT malware was likewise disguised as systems drivers, utilities, and the Windows text editor EmEditor, indicating that other industries are targeted. The group may only be attempting to send its malware far and wide. Forescout could not determine how users were led to these installers, though Silver Fox has earlier used phishing, gaming applications, and SEO poisoning to distribute its malware.
The campaign offers a first-stage loader to deliver other malicious payloads from an Alibaba cloud bucket. A second-stage payload could destroy antivirus solutions and allow the third-stage payload, ValleyRAT, a remote access Trojan with a backdoor and module loader that installs a cryptocurrency miner and a keylogger.
These DICOM viewers target patients instead of hospitals since patients frequently employ these apps to see their medical images. In instances where patients bring infected devices into hospitals for analysis, or when patient-owned devices are used for hospital-at-home programs, infections could pass on beyond patient devices, enabling threat actors to possibly get a preliminary foothold inside healthcare systems.
The researchers suggest only accessing software programs from confirmed legit sources, applying strict system segmentation, making sure all devices are secured with endpoint security options, checking system traffic and endpoint telemetry, and looking into any suspicious activity. The Forescout report provides details of Indicators of Compromise and other suggested mitigations. Healthcare companies that are potential victims should update their HIPAA training requirements to protect against this threat group.