Hackers using weaponized DICOM viewer installers to infiltrate networks

The healthcare industry has long been a prime target for cybercriminals, with hospitals and providers often caught in the crosshairs of ransomware attacks. But a new, more insidious threat has emerged — one that doesn't just encrypt files and demand payment. Instead, it lingers in the shadows, siphoning data undetected.

Researchers at cybersecurity firm Forescout have identified a China-based hacking group, Silver Fox, that's taking a quieter yet equally dangerous approach. Using weaponized DICOM viewer installers, they're infiltrating networks, creating backdoors, and taking control of victims' systems without raising alarm bells.

How does it work?

Silver Fox employs a sneaky, multi-stage attack, slipping past unsuspecting users through malicious software installers:

• Masquerading as Trusted Software: The group disguises its malware as legitimate healthcare applications, particularly Philips DICOM viewers, widely used by patients to access medical images.
• First-Stage Loader: When a victim downloads the fake installer, a first-stage loader gets to work, setting the stage for more malware to follow.
• Cloud-Based Payload Delivery: The loader fetches additional malware from an Alibaba cloud bucket.
• Breaking Down Defenses: A second-stage payload disables antivirus software, clearing the way for full-blown infection.
• The Final Blow: The third-stage payload delivers ValleyRAT, a remote access Trojan that installs a keylogger and a cryptocurrency miner, effectively turning the victim's computer into a compromised workstation.

While the primary infection vector remains unclear, Silver Fox has a track record of using SEO poisoning, phishing, and gaming platforms to lure victims.

Why does it matter?

Unlike traditional ransomware attacks that make a big, noisy splash, Silver Fox is playing the long game. Instead of locking up files and demanding ransoms, they sit undetected, collecting valuable data. The implications are staggering:

• Data Theft on a Grand Scale: Silver Fox's operations now extend beyond finance and corporate targets to government agencies and cybersecurity firms. The shift to healthcare is a troubling sign.
• Patient Data at Risk: "While these DICOM viewers likely target patients rather than hospitals directly, as patients often use these applications to view their own medical images, the risk to HDOs remains significant," explained Forescout. If infected devices enter hospital networks, they could become a Trojan horse for a larger cyberattack.
• Wider Attack Surface: With the rise of remote healthcare and hospital-at-home programs, the boundaries between personal and medical networks are increasingly blurred, creating more opportunities for cyber threats to spread.

The context

Silver Fox, also known as Void Arachne or The Great Thief of the Valley, is a relatively new name in the cybercrime underworld. First spotted in June 2024, the group initially focused on Chinese targets, deploying ValleyRAT malware through deceptive VPN and AI applications. But its scope has rapidly expanded.

Initially, its focus was on stealing data from finance, sales, management, and accounting firms. Now, its attacks have grown more sophisticated, spreading to healthcare providers and even government entities.

The big question - is Silver Fox purely financially motivated, or is it an advanced persistent threat (APT) group operating under state sponsorship? The answer remains murky.

Forescout's research uncovered a staggering 29 malware samples disguised as Philips DICOM viewer installers, with the campaign dating back to at least December 2024. While there's no evidence that actual Philips medical devices were hacked, the mere ability to impersonate such trusted software underscores the group's sophistication.

In that sense, cybersecurity experts strongly recommend:

• Downloading software only from trusted sources to avoid falling victim to malicious installers.
• Implementing strict network segmentation to limit an attacker's ability to move laterally.
• Deploying endpoint security solutions to detect and neutralize threats early.
• Monitoring network activity and investigating anomalies before they escalate into full-blown breaches.

As cyber threats against healthcare organizations continue to evolve, vigilance is more critical than ever. Silver Fox may be operating under the radar for now, but their growing reach is a stark warning: the era of silent cyber intrusions has arrived.