A new study from Forescout Technologies' Vedere Labs recognizes that the healthcare sector remains a major target for ransomware attacks. However, the threats facing this sector are not limited to ransomware. They also identified a campaign by Silver Fox, a China-based APT group. This exploited the vulnerability of Philips Dicom's audience, setting up backdoors, keyloggers and cryptocurrency miners on victim computers.
“Many of these attacks are related to ransomware, which can affect data availability and disrupt patient care, but other threats to healthcare organizations directly leverage medical applications.” blog Post. “During a new malicious software threat hunt, we identified a cluster of 29 malware samples pose as viewers of Philips DiCom. These samples were made by Chinese threat actor Silver Fox to control the victim's computer. We deployed ValleyRat, a backdoor remote access tool (rat) that we use to get. In addition to the backdoor, the victim also infected keyloggers and crypto miners.
Silver Fox, also known as Void Arachne and The Great Thief of Valley, has historically targeted Chinese-speaking victims and has been extremely active since 2024.
Over the past year, the group has demonstrated a shift in evolving tactics, techniques, and procedures (TTPs) to a wider target. Last June, Silver Fox identified the first identification targeting Chinese victims with malware that downloaded Winos 4.0 Trojan horse, also known as the valley rat. The campaign leveraged SEO addiction, social media, and messaging platforms to distribute malware disguised as AI applications or VPN software. Later that month, the group observed deploying a modified version of ValleyRat that incorporates DLL sideload, process injection, and HTTP file server (HFS) for download and command and control (C2).
By July, new analysis suggested that SilverFox could be appropriate, pretending to be a cybercriminal, as the target had moved to government agencies and cybersecurity companies. In August, further campaigns will be targeted at e-commerce, finance, sales and management companies. By September, the group had been observed using TrueSight drivers to disable antivirus software. In November, Silver Fox shifted the way Winos/ValleyRat was distributed, leveraging gaming applications as a new distribution mechanism.
In January this year, the PNGPLUG loader was first identified as part of the group's TTPS, and this month a new campaign was identified aimed at financial, accounting and sales professionals aimed at stealing sensitive data. .
“The new malware cluster we identified, including mimicking healthcare applications, English executables, and file names mimicking file submissions from the US and Canada, will help groups expand targeting new regions and sectors. “This suggests that there may be a possibility that this is,” the researcher said. “In addition, the use of the group's crypto miners detailed below indicates the introduction of a new TTP into the campaign.”
When downloaded, Silver Fox Malware decrypts the payload and generates a malicious executable (second stage malware) registered as a Windows Skiddle Task. This task is immediately performed and configured to run on all user logins to ensure the persistence of the infected system.
The two-stage malware loads a Cyren AV DLL containing injection code designed to avoid debugging. Next, enumerate the system processes to identify the various security software (details at the end of this report) and use TrueSightKiller to exit them.
“When security defense is disabled, the second stage downloads the encrypted file and decrypts it into a three-stage payload, ValleyRat backdoor and loader module. This includes a C2 server hosted on Alibaba Cloud. We will communicate,” the post added.
“ValleyRat gets an additional encrypted payload that once decrypted, acts as a keylogger and cryptominer. All three final payloads (backdoor, keylogger and cryptominer) are Achieve victim persistence through scheduled tasks. At the time of this analysis, Alibaba Cloud Storage Backets remained accessible, while the C2 server was already offline.”
Each stage of malware incorporates encryption, obfuscation, and avoidance techniques to resist detection and analysis. The obfuscation method covers the API hash to hide the function call. Indirect API search to avoid static analysis. Indirect control flow operations to prevent debugging and reverse engineering. Evasion techniques include long sleep intervals to delay execution and avoid sandbox detection. System fingerprints to coordinate executions based on the target environment. Masked DLL loads to avoid security surveillance. RPC-based task scheduling and driver loading bypass standard process monitoring.
Additionally, malware adds random bytes to both dropped and loaded files, making difficult files more difficult due to detection and file hash-based hunting.
Silver Fox Campaigns troilized DICOM viewers to bring backdoors of remote access and control (ValleyRat), keyloggers to capture user activity and credentials, and crypto miners who leverage system resources for financial profits It is used as a lure to infect backdoors (ValleyRats).
“These DICOM audiences may be directly targeting patients rather than hospitals. The risk of HDO remains important as patients use these applications to display their own medical images.” and Forescout observed. “In new scenarios, such as scenarios where patients bring infected devices to hospitals for diagnosis, or hospital home programs that rely on patient-owned technology, these infectious diseases could spread beyond individual patient devices. There will be a potentially gained by threat actors. The first scaffold within the healthcare network.
To minimize risk and prevent unauthorized access, HDOs (healthcare distribution agencies) should implement a variety of risk mitigation measures, such as avoiding downloads and file downloads from unreliable sources . Prohibits loading files from patient devices into health care workstations or other network-connected devices. Implement strong network segmentation to separate untrusted devices and networks (such as guest Wi-Fi) from the internal hospital infrastructure.
You should also ensure that your endpoints are protected with the latest antivirus or EDR solutions. Continuously monitor network traffic and endpoint telemetry for suspicious activity. and actively hunt malicious activities consistent with known threat actor behavior to ensure early detection and response.
