Following research into a new campaign last month by Chinese threat actor Silver Fox, Philips Dicom viewers infected a backdoor Trojan to infect victims, the finding stemmed from Virustotal (VT)'s malicious software threat hunt. The latest follow-up analysis enhances the search method and details the process of searching for malware in VT.
This approach leverages a list of perspectives and REM default credentials along with a database of the most popular medical software names observed in healthcare environments to envision legitimate healthcare applications by abusing known software names, exploiting health system qualifications to gain initial access and interacting with medical devices that take care of healthcare in order to identify malware that exhibit specific behavior.
This study detected three important malware clusters targeting healthcare systems, including clusters of Siemens Syngo FastView DICOM viewers infected with Floxif/Pioneer. Sample of Mindray Central Monitoring Station (CMS) infected with “Panda Burning Incense”. This CMS communicates with patient monitors as a potential Chinese backdoor (DOT) potential Chinese backdoor using IP addresses recently flagged by the CISA and FDA. Two botnet samples that abuse GE Healthcare Muse Cardiology Information Systems (CIS) qualifications.
“These findings highlight how malware can frequently utilize healthcare systems by targeting health systems directly or infecting weak systems that interact with medical devices,” wrote Amine Amuri, Simolige, Daniel Dos Santos and Foresketch Research – in a blog post on Tuesday. “We've learned that as encouragement, there are no malware samples that directly abuse DICOM or HL7. This is good news for clinical network defenders.”
The first results reveal two groups of files compromised by portable executable (PE) infection agents. This type of malware attaches harmful code to legitimate Windows executables to enable proper system breach.
“During the analysis, we discovered 19 instances of Siemens Syngo FastView DICOM viewers infected with Floxif/Pioneer,” the researchers elaborated. “Siemens Syngo FastView is usually distributed to patients with medical image results, allowing DICOM images to be displayed on individual Windows workstations. The software is not intended for use on medical workstations, and is no longer maintained by Siemens and is known to contain vulnerabilities.”
Additionally, Floxif/Pioneer is a backdoor that infects executables and DLL files, allowing victims' systems to download and run more malware. “It was first discovered in 2012 and gained infamy when it was used to distribute a version of the Trojan Esmation version of the CCLEANER utility in 2017. In 2021, no target infections were reported, but an OT/ICS environment was identified. All infected samples were submitted to VT from the US or Canada between November and December 2024.”
They also identified one instance of Mindray CMS that was infected with Panda Burning Cases/Fujacks. “This CMS is a hospital software application that connects multiple patient monitors and centralizes patient vitals and diagnosis.”
Panda Burning Casens is a Chinese worm originally developed in 2006. More than 10 million devices were infected in 2007 before the creator was arrested. An updated version was released in 2009, and it was last observed that malware infected enterprise systems in 2019.
“The sample we identified was submitted from the US in 2022 and shows similar behavior to the 2019 variant. Specifically, we will download additional malware from 9Z9T(.)COM and report the infection to Daohang08(DOT)com,” the researcher added. “At this time of writing, the first domain no longer resolves to IP addresses, while the second one is now resolved to 154.85.233(.)136, a Hong Kong-based IP address.”
CISA flags Mindray CMS default connection behavior as a potential security risk. This CMS connects to the patient monitor using IP address 202.114.4 (DOT)119. This was previously cited by the CISA as a backdoor for China. Although this behavior is inherently non-malicious, by default multiple patient monitors and CMS use the same IP address, CISA warns that this configuration allows patient monitors to be exposed to remote code execution (RCE) risk.
As observed in similar hunts in OT (operational technology) environments, it is not possible to determine whether these infectious diseases are specifically targeted to healthcare environments. This type of malware is relatively old and can spread through multiple vectors, via other infected files downloaded from the Internet, infected USB drives used for file transfers, or networks compromised due to insufficient segmentation between IT and healthcare systems.
They added that infections via the DICOM viewer sample are likely to occur on the patient's personal computer, as they are the intended use case of the software. In contrast, the infection observed in CMS is more likely to have occurred within a health facility where software is actively used to monitor patient data.
Moving on to the second important finding, researchers noted that it includes a botnet sample that utilizes the default password for the GE Healthcare Muse cardiac information system. However, these botnet samples are ELF binary. This means that it cannot run on a Windows-based system that hosts the Muse application. Instead, these samples could act as “vulnerability collectors”, scan for exposed or misunderstood systems, and report their findings to a command and control (C2) server or human operator. Once identified, attackers can deploy additional tools to further compromise vulnerable systems.
Muse is deployed to healthcare institutions to streamline cardiac data management by facilitating the delivery, distribution and analysis of critical electrocardiogram (ECG) data. Aggregates cardiac measurements, interpretation of diagnostic texts, and digitized ECG. Given its role in storing and analyzing patient cardiac data, unauthorized access to the Muse system can pose a significant security and privacy risk to healthcare providers.
Previous threats and current threat hunting identify multiple threat types related to healthcare providers, including infected DICOM viewers who are likely targeting patients rather than hospitals.
“Beyond this blog and previous findings from threat hunting, DICOM viewers have been abused in at least one campaign in 2024,” the researchers say. “These applications are either compromised by common IT malware or used as lures for sophisticated APT attacks. Infected DICOM viewers may seem like a major risk to patients, but they show how these infectious diseases can spread beyond personal workstations, such as bringing their devices to hospitals for diagnosis, or having new hospitals in their home programs, and can serve as early access vectors for healthcare organizations.
Furthermore, infected CMS samples and botnets targeting CIS highlight that not only patient devices but healthcare-specific systems are vulnerable. “The infected CMS samples were from real hospitals, likely contain decades-old worms, suggesting they run a decades-old operating system, are connected to the internet, and are highly susceptible to many other more modern attacks.
Apart from these individual findings, over-closing research reinforces key healthcare cybersecurity challenges. “Threats occur both inside and outside HDO. DICOM is widely used across interconnected hospital systems within hospitals, including regular workstations and medical devices, and as explained in a recent report, it remains a high-risk protocol.”
To mitigate cybersecurity risks and improve resilience, the forecasting post called on healthcare delivery organizations (HDOs) to take several actions. First, all connected devices, especially those with legacy operating systems, must be identified and classified to assess risk exposure.
Second, external communications must be restricted and effective segmentation must be implemented. Network flow mapping is essential for designing effective segmentation zones that separate IT, IoT, OT, and Internet of Medical Things (IOMT) devices. Communication mapping helps you create segmentation zones and provides insight into external and internet connections. This approach helps identify unintended external communications and prevent unauthorized access and lateral movement within the network.
Finally, HDO needs to monitor network traffic and endpoint telemetry for threat detection. Correlating network and endpoint signals allows defenders to detect and respond to threats faster and more effectively.
Last month, Health-ISAC announced the health sector's cyber threat landscape for 2025, highlighting the serious cybersecurity challenges facing the healthcare sector in 2024, and predicting an even more challenging environment in 2025.
