Chinese Silver Fox APT exploits trojanized medical imaging software to spread ValleyRAT malware, posing a serious threat to healthcare security and patient data.
Forescout’s Vedere Labs’ latest investigation, shared with Hackread.com, reveals that the notorious Chinese advanced persistent threat (APT) group, Silver Fox, has launched a sophisticated new campaign in which the group is exploiting DICOM (Digital Imaging and Communications in Medicine), commonly used for patient medical imaging, to distribute malicious software.
The Silver Fox group has been active since at least 2024 and Hackread.com has followed its activities ever since. Initially, it focused on Chinese-speaking victims, distributing malware through various channels like SEO poisoning and social media usually disguised as AI applications or VPN software.
Over time, their targets broadened to include government institutions, cybersecurity companies, e-commerce, finance, and even gaming applications. Recent research suggests the group’s expansion into the healthcare sector, with malware samples originating from the US and Canada.
The current campaign uses trojanised versions of the Philips DICOM viewer‘s (PDF) executable file, which acts as a first-stage payload, checks connectivity to its command and control (C2) server using standard Windows commands, and uses PowerShell scripts to weaken Windows Defender’s defences. It then downloads encrypted payloads disguised as image files from an Alibaba Cloud storage bucket, which includes tools to disable antivirus software, auxiliary files, and shellcode.
The downloaded components are decrypted and a second-stage malicious executable is created, designed to persist on the system through scheduled tasks. This second stage disables security software and downloads another encrypted file, which after decryption reveals the core payload: the ValleyRAT backdoor.
“During a threat hunt for new malicious software, we identified a cluster of 29 malware samples masquerading as Philips DICOM viewers. These samples deployed ValleyRAT, a backdoor remote access tool (RAT) used to gain control of victim computers,” researchers noted in the blog post.
ValleyRAT provides attackers with extensive control over the compromised machine, potentially allowing access to sensitive hospital networks. In addition to the backdoor, the malware also installs a keylogger to capture user input and a cryptominer to generate digital currency for the attackers. All these components are designed to persist on the system, ensuring continued operation even after reboot.
The malware uses various techniques to evade detection and analysis, including obfuscation methods like API hashing and indirect retrieval, long sleep intervals, system fingerprinting, and masked DLL loading. The addition of random bytes complicates detection. Researchers found Alibaba Cloud storage buckets accessible during analysis, despite the C2 server being offline.
Researchers warn that compromised DICOM viewers pose a grave risk to healthcare delivery organizations (HDOs), as infected devices could provide an entry point into hospital networks. To mitigate these risks, HDOs should avoid downloading software from untrusted sources, restrict file loading from patient devices, implement robust network segmentation, maintain up-to-date endpoint protection, monitor network traffic, and actively search for malicious activity.
Malware Alert Icon Via Flaticon/Kliwir Art