Chinese hacking group hijacks hospital computers by spoofing legitimate
medical software

Date:
Wed, 26 Feb 2025 16:49:00 +0000

Description:
Patients are having their data and credentials stolen after Silver Fox group hijacks legitimate medical software to infect their devices.

FULL STORY ======================================================================
- ForeScout says Silver Fox crime group is targeting hospital patients
- The group uses spoofed medical software to install malware
- Credentials, sensitive data, and crypto are then stolen

A Chinese hacking group has been spotted spoofing legitimate medical software to infect patient computers with malware .

The attacks have been attributed by Forescout to a group tracked as Silver
Fox, Void Arachne, and The Great Thief of Valley, and use legitimate medical software such as Philips DICOM medical image viewer to deploy the ValleyRAT remote access tool.

ValleyRAT is then used as a backdoor to deploy infostealing malware that targets sensitive data, credentials, and cryptocurrency.

Expanding horizons

As a China-based group, Silver Fox has typically targeted Chinese speakers in previous attacks, but Forescout notes that malware samples they have
collected show filenames mimicking healthcare applications, English-language executables, and file submissions from the United States and Canada, suggest[ing] that the group may be expanding its targeting to new regions and sectors.

How Silver Fox gets their malware onto the victims devices has not yet been determined, but Forescout notes that previous attacks have seen the group use phishing and SEO poisoning techniques to ship their malware.

Once installed, the malware will establish a connection with the attackers command and control (C2) server using ping.exe, find.exe, cmd.exe, and ipconfig.exe. The malware will also run PowerShell commands to hide its communications paths from Windows Defender scans.

The malware will then retrieve additional payloads from the C2 server, such
as a security tool sniffing malware that will search the system for antivirus and endpoint protection software that could detect it, and disables them
where possible. ValleyRAT is then deployed, stealing information and
extracting it to the C2 server.

Forescout also notes that while not directly targeting a hospital, but rather the victims device, the malware still poses a significant risk for patients
who take infected devices into medical facilities, where the malware could spread through unsecured networks and into hospital systems.

Via TheRegister

======================================================================
Link to news story: https://www.techradar.com/pro/security/chinese-hacking-group-hijacks-hospital- computers-by-spoofing-legitimate-medical-software

$$
--- SBBSecho 3.20-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)