- Forescout says that Silver Fox Crime Group is aimed at patients with the hospital
- The group uses falsified medical software to install malware
- Then they are stolen credentials, confidential and crypto data
A group of Chinese piracy has been seen falsifying legitimate medical software to infect computers of malware patients.
The attacks have been attributed by Foresout to a group tracked such as Silver Fox, Void Arachne and the great thief of Valley, and use legitimate medical software such as Philips Dicom Medical Image Viewer to display the remote access tool of Valleyrat.
Valleyrat is then used as a rear door to implement infteilated malware that is directed to confidential, credential and cryptocurrency data.
Expanding horizons
As a group based in China, Silver Fox has generally directed Chinese speakers in previous attacks, but Foresout points out that the malware samples they have collected show “the file names that mimic medical care applications, those executable in English and the file presentations of the United States and Canada, suggest”[ing] that the group may be expanding its objective to new regions and sectors. “
The way Silver Fox takes their malware to victims devices has not yet been determined, but Foresout points out that previous attacks have seen the group use phishing techniques and poisoning by SEO to send their malware.
Once installed, the malware will establish a connection with the attacker command and control server (C2) using ping.exe, Find.exe, cmd.exe and ipconfig.exe. The malware will also execute Powershell commands to hide its communications routes of Windows defense scanns.
Then, the malware will recover additional useful loads of the C2 server, as a security tool that olfatea malware that will seek in the system the antivirus software and final point protection that could detect it, and will disable them where possible. Valleyrat is then implemented, stealing information and extracting the C2 server.
Foreso also points out that although it is not directed directly to a hospital, but that the victim’s device, the malware still has a significant risk for patients who carry infected devices to medical facilities, where malware could spread through unusual networks and hospital systems.
Through For it
