Chinese-supported company Silver Fox surreptitiously installs potential security vulnerabilities within healthcare systems
In a recent cybersecurity threat, a Chinese-backed hacking group known as Silver Fox has been identified as targeting healthcare networks with the ValleyRAT malware. This remote access trojan (RAT), also known as Winos 4.0, was initially documented in early 2023.
The malware employs various techniques to resist detection and analysis, including obfuscation methods and evasion techniques. It uses cloud storage buckets, specifically Alibaba Cloud, to deliver encrypted payloads. The first-stage malware, MediaViewerLauncher.exe, performs beaconing and reconnaissance, checks for connectivity to the C2 server hosted in Alibaba Cloud, and employs security evasion techniques.
The group has been shifting its distribution methods, leveraging gaming applications as a new delivery mechanism since November 2024. In a recent campaign, the malware was disguised as Philips DICOM viewers but deployed the ValleyRAT backdoor. The new campaign also involves exploiting patient medical imaging software, Philips Digital Imaging and Communications in Medicine (DICOM).
Once installed, the malware drops ValleyRAT, a backdoor that gives attackers full control of victim computers. The malware deployed in the campaign includes a backdoor, a keylogger, and a crypto miner, indicating the introduction of new techniques, tactics, and procedures (TTPs) into the group's campaigns.
To minimize risk and prevent unauthorized access, healthcare delivery organisations (HDOs) are advised to implement risk mitigation measures. These include avoiding downloading software or files from untrusted sources, prohibiting loading of files from patient devices onto healthcare workstations or other network-connected equipment, implementing strong network segmentation, ensuring all endpoints are protected with up-to-date antivirus or EDR solutions, continuously monitoring all network traffic and endpoint telemetry for suspicious activity, and proactively hunting for malicious activity that aligns with known threat actor behaviour.
Multiple cybersecurity firms have analysed that the cybercriminal group behind ValleyRAT is a China-based threat actor. In July 2024, a new analysis by Chinese firm Knownsec's 404 Advanced Threat Intelligence Team suggested that Silver Fox may be an advanced persistent threat (APT) group masquerading as cybercriminals, as its targeting shifted to governmental institutions and cybersecurity companies.
Forescout's Vedere Labs noted that Silver Fox's TTPs demonstrate a high level of sophistication and adaptability. The group's use of a crypto miner further underscores their evolving tactics and the need for continued vigilance in the cybersecurity community.
