Full Report
Forescout observed the recently identified Chinese hacking group using medical imaging software applications to deliver malware
Analysis Summary
# Threat Actor: Silver Fox
## Attribution & Identity
* **Identification:** Chinese-backed hacking group.
* **Aliases/Associated Groups:** Has been linked to the use of ValleyRAT (also known as Winos 4.0). Early analysis of Winos 4.0 suggested a China-based origin. A recent analysis by Knownsec suggested Silver Fox might be an Advanced Persistent Threat (APT) group masquerading as cybercriminals.
## Activity Summary
* **Recent Campaign (Observed by Forescout):** A multi-stage malware campaign targeting healthcare networks by exploiting Philips Digital Imaging and Communications in Medicine (DICOM) patient medical imaging software. The goal was to deploy the ValleyRAT backdoor, a keylogger, and a crypto miner.
* **Historical Activities:**
* Previously targeted Chinese-speaking users via malicious Windows Installer (MSI) files containing legitimate software alongside ValleyRAT/Winos 4.0 payloads (observed early 2023).
* In June 2024, deployed a modified ValleyRAT incorporating DLL sideloading, process injection, and using an HTTP File Server (HFS) for C2.
* In July 2024, targeting shifted to governmental institutions and cybersecurity companies, alongside traditional targets like e-commerce, finance, sales, and management enterprises.
* In November 2024, shifted distribution methods to leverage gaming applications.
* **Noteworthy Evolution:** The introduction of a crypto miner signifies the adoption of new TTPs into their established campaigns.
## Tactics, Techniques & Procedures
* **Initial Access:** History of using SEO poisoning and phishing. In the latest campaign, the initial vector was unclear, but malware samples (masquerading as Philips DICOM viewers) were distributed.
* **Execution & Persistence:**
* Uses a first-stage preparatory malware (`MediaViewerLauncher.exe`) for beaconing and reconnaissance.
* Initial staging leverages Alibaba Cloud buckets to host encrypted payloads.
* Payloads are decrypted to generate a malicious executable, which achieves persistence via registration as a Windows scheduled task (potentially using RPC-based task scheduling).
* **Defense Evasion & Security Control Disruption:**
* Uses PowerShell commands to exclude specific paths from Windows Defender scanning.
* Second-stage malware loads a DLL containing injected code designed to evade debugging.
* Employs **TrueSightKiller** (an open-source tool) to terminate and disable antivirus and EDR solutions.
* Uses obfuscation techniques, including API hashing and indirect API retrieval.
* Employs evasion techniques such as long sleep intervals, system fingerprinting, and masked DLL loading.
* Adds random bytes to dropped and loaded files to challenge file hash-based detection.
* Uses driver loading to bypass standard process monitoring.
* **Command and Control (C2):** C2 infrastructure hosted partially on Alibaba Cloud.
* **Payloads:** ValleyRAT (backdoor), keylogger, and crypto miner.
## Targeting
* **Sectors:** Healthcare (specifically those using Philips DICOM software), governmental institutions, cybersecurity companies, e-commerce, finance, sales, and management enterprises.
* **Geography:** Recent campaign included file submissions from the US and Canada, suggesting expansion into these regions. Historically targeted Chinese-speaking users.
* **Victims:** Organizations utilizing Philips DICOM software within healthcare environments.
## Tools & Infrastructure
* **Malware Families Used:** ValleyRAT (Winos 4.0), custom first-stage malware (e.g., `MediaViewerLauncher.exe`), keylogger, crypto miner.
* **Infrastructure (C2, domains, IPs):**
* C2 servers hosted partially on Alibaba Cloud.
* Encrypted payloads hosted on Alibaba Cloud storage buckets.
* Previously observed using an HTTP File Server (HFS) for C2/downloads.
## Implications
Silver Fox demonstrates high levels of sophistication, adaptability, and modular infrastructure use (leveraging cloud services). Their shift to highly sensitive healthcare software (DICOM viewers) and the inclusion of a crypto miner indicate operational expansion and a willingness to utilize riskier monetization techniques alongside traditional espionage/access objectives. The combination of multiple security evasion techniques makes detection challenging for traditional defenses.
## Mitigations
* Avoid downloading software or files from untrusted sources, especially critical operational software like medical imaging viewers.
* Prohibit loading of files from patient devices onto healthcare workstations or other network-connected equipment.
* Implement strong network segmentation to isolate untrusted devices and networks (e.g., guest Wi-Fi) from internal hospital infrastructure.
* Ensure all endpoints are protected with up-to-date antivirus or EDR solutions.
* Continuously monitor all network traffic and endpoint telemetry for suspicious activity (looking for characteristics like scheduled task creation, security software termination, and unusual outbound traffic related to cloud buckets).
* Proactively hunt for malicious activity aligning with known Silver Fox behaviors (e.g., evidence of API hashing, process injection techniques, and use of TrueSightKiller).