Researchers at Forescout’s Vedere Labs have uncovered a malicious campaign carried out by the Chinese-backed hacking group known as Silver Fox. The campaign targeted vulnerable Philips Digital Imaging and Communications in Medicine (DICOM) medical imaging software, which is widely used in healthcare facilities to display and analyze medical images such as X-rays, CT scans, MRI scans, and ultrasounds.
Silver Fox deployed a range of malicious payloads, including a backdoor, keylogger, and crypto miner, on victim computers, with SEO poisoning or phishing campaigns suspected as the breach method.
Forescout’s researchers identified 29 distinct malware samples masquerading as legitimate Philips DICOM viewers used to deploy the ValleyRAT backdoor.
The ValleyRAT backdoor, also known as Winos 4.0, is a Remote Access Trojan (RAT) that provides attackers full control over infected machines, enabling them to steal sensitive data, install more malicious software, and potentially infiltrate hospital networks.
The malware infection begins with a first-stage payload, named MediaViewerLauncher.exe. The file conducts initial beaconing and reconnaissance, verifying the system’s connection to a command-and-control (C2) server while also evading security software.
It leverages PowerShell commands to bypass Windows Defender’s scanning mechanisms and retrieves encrypted payloads from an Alibaba Cloud bucket, decrypting them into a malicious executable. The executable is then set up as a scheduled task to ensure persistence even after a system reboot.
The attack uses Alibaba Cloud services to host encrypted payloads. While the C2 server was offline during analysis, the cloud storage buckets hosting the payloads were still accessible.
In the second stage of the malware attack, once the first payload is executed, the malware loads a DLL with code designed to evade detection. It scans for security software on the compromised machine and uses the TrueSightKiller tool to disable any antivirus or endpoint detection systems.
Once security defenses are disabled, the malware decrypts and installs additional payloads, including the ValleyRAT backdoor and a loader module, granting the attackers persistent administrative access to the infected systems.
In June 2024, Silver Fox’s activities evolved to include a modified version of ValleyRAT that incorporated DLL sideloading, process injection, and an HTTP File Server (HFS) for download and command-and-control purposes. This shift in tactics may indicate that Silver Fox may be an advanced persistent threat (APT) group masquerading as cybercriminals to target governmental institutions and cybersecurity companies. Further analysis by Chinese cybersecurity firm Knownsec in July 2024 suggested that Silver Fox’s activities might be part of a larger, state-sponsored effort aimed at infiltrating sensitive networks.
