Cyber Threat Hunting in Healthcare, Part 2: File Infectors, Botnets
In our previous investigation, we uncovered a new campaign by the Chinese threat actor Silver Fox which abused Philips DICOM viewers to infect victims with a backdoor trojan. This discovery emerged from a threat hunt for malicious software on VirusTotal (VT).
In this follow-up analysis, we expand on our search methodology, showing how we searched for malware on VT. We leveraged eyeInspect’s and REM’s list of default credentials – along with a database of the most popular medical software names observed in healthcare environments – to identify malware exhibiting the following behaviors:
- Masquerading as legitimate healthcare applications by abusing known software names.
- Exploiting medical system credentials to gain initial access.
- Interacting with medical devices by abusing healthcare protocols, such as DICOM and HL7.
Key Threat Hunt Findings
Our analysis revealed three significant malware clusters targeting healthcare systems:
- A cluster of Siemens syngo fastView DICOM viewers infected with Floxif/Pioneer.
- A sample of Mindray Central Monitoring Station (CMS) infected with “Panda Burning Incense”. This CMS communicates with patient monitors using an IP address recently flagged by CISA and the FDA as a potential Chinese backdoor.potential Chinese backdoor.
- Two botnet samples abusing credentials for GE Healthcare MUSE Cardiology Information Systems (CIS).
These findings emphasize how IT malware frequently exploits healthcare systems, either by targeting them directly or by infecting weak systems that interact with medical devices. Encouragingly, we found no malware samples directly abusing DICOM or HL7, which is good news for clinical network defenders.
Below, we analyze each of these findings in detail, explore their implications for healthcare security, linking this research with our previous findings on risky medical systems, and provide mitigation recommendations for Healthcare Delivery Organizations (HDOs).
Portable Executable Infectors in Medical Software
The first set of results includes two clusters of files infected with Portable Executable (PE) infectors – a type of malware that appends malicious code to legitimate Windows executables to facilitate further compromise.
During our analysis, we discovered 19 instances of Siemens syngo fastView DICOM viewers infected with Floxif/Pioneer.
Siemens syngo fastView is typically distributed to patients alongside their medical imaging results, allowing them to view DICOM images on a personal Windows workstation. This software is not intended for use on medical workstations. It is also no longer maintained by Siemens and is known to contain vulnerabilities.
Floxif/Pioneer is a backdoor that infects executable and DLL files, enabling it to download and execute further malware on the victim’s system. It was initially discovered in 2012 and gained notoriety when it was used to distribute a trojan-ized version of the CCleaner utility in 2017. In 2021, it was identified OT/ICS environments, though no confirmed targeted infections were reported.
All infected samples were submitted to VT from the US or Canada between November and December 2024.
We also identified one instance of a Mindray CMS infected with Panda Burning Incense/Fujacks. This CMS is a hospital software application that connects to multiple patient monitors and centralizes patient vitals and diagnostics.
Panda Burning Incense is a Chinese worm originally developed in 2006. It infected over 10 million devices before its creators were arrested in 2007. An updated version emerged in 2009 and the malware was last observed infecting enterprise systems in 2019.
The sample we identified was submitted in 2022 from the United States and exhibits behavior identical to the 2019 variant, specifically: downloading additional malware from 9z9t[.]com
and reporting the infection to daohang08[.]com. As of this writing, the first domain no longer resolves to an IP address, but the second currently resolves to 154.85.233[.]136
, a Hong Kong-based IP address.
CISA has flagged the Mindray CMS default connection behavior as a potential security risk. This CMS connects to patient monitors using the IP address 202.114.4[.]119
which was previously cited by CISA as a possible Chinese backdoor. While this behavior is not inherently malicious – the same IP address is used across multiple patient monitors and CMSs by default – CISA has warned that this configuration could expose patient monitors to remote code execution (RCE) risks.
As observed in a similar hunt in OT environments, we cannot confirm whether these infections were specifically targeted at healthcare environments. This type of malware is relatively old and can spread through multiple vectors, including other infected files downloaded from the internet, infected USB drives used for file transfers, or via networks compromised due to poor segmentation between IT and medical systems.
The infections through the DICOM viewer samples mostly likely occurred on patients’ personal computers, as that is the intended use case for the software. In contrast, the infection observed in the CMS is more likely to have originated within a healthcare facility where the software is actively used to monitor patient data.
To understand the full context of today’s IoMT risks in healthcare, watch this webinar:
Botnets Targeting GE Healthcare MUSE
Our second key finding involves botnet samples that exploit the default password for the GE Healthcare MUSE Cardiology Information System.
However, these botnet samples are ELF binaries, meaning they cannot execute on the Windows-based systems that host the MUSE application. Instead, these samples likely function as “vulnerability collectors”, scanning for exposed or misconfigured systems and reporting findings to a command and control (C2) server or human operator. Once identified, and attacker could then deploy additional tools to compromise the vulnerable system further.
MUSE is widely used in healthcare organizations to streamline cardiac data management by facilitating the delivery, distribution and analysis of critical electrocardiogram (ECG) data. It aggregates cardiac measurements, diagnostic text interpretations and digitized ECG.
Given its role in storing and analyzing patient cardiac data, unauthorized access to MUSE systems could pose significant security and privacy risks for healthcare organizations.
The two samples found exploiting credentials for this system are listed below:
Sample | Downloader IP | Submissions |
---|---|---|
d6155a83e85dad5f8e66267c99bc6152dff5a5f53ec67ccd3b8cf1f1a0193b73 | 141.98.11[.]96 | – US, Turkey & Germany – Six times between March and July 2024 |
97f71348c5ebc187091ec61860110473ab4f2ca78dcae9890e5fbec5c45ad4be | 91.234.99[.]177 | – South Korea twice in 2019 – US twice in 2024, between April and July |
The two botnet samples identified in our analysis are classified on VT as Mirai/Gafgyt variants. However, the second sample exhibits characteristics consistent with AirDropBot (also known as CloudBot), based on its original filename (“sh4.cloudbot
”) and strings present in the sample, such as “airdropmalware
” and “cloudbot storing your data in the clouds
”.
Beyond the IP addresses hosting these samples (previously reported on the table above) the second sample also contained an embedded domain name stresser[.]pw
, and two embedded IP addresses 185.244.25[.]200
and 185.244.25[.]202
.
These indicators suggest that the second botnet sample may be linked to DDoS-for-hire services (a.k.a. booters/stressers) commonly associated with AirDropBot-based malware campaigns.
Mitigation Recommendations
Our previous and current threat hunts have identified multiple threat types relevant to healthcare organizations, including:
- Infected DICOM viewers are likely targeting patients rather than hospitals directly.
Beyond our findings in this blog and the previous threat hunt, DICOM viewers have been abused in at least one campaign in 2024. These applications are either compromised by common IT malware or used as lures for sophisticated APT attacks. While an infected DICOM viewer may seem like a greater risk to patients, real-world scenarios – such as patients bringing their own devices into hospitals for diagnosis, or emerging hospital-at-home programs – demonstrate how these infections could spread beyond a personal workstation and serve as an initial access vector for healthcare organizations.
- Malware targeting hospital systems, such as CMS and CIS.
The infected CMS sample and botnets targeting CIS highlight that healthcare-specific systems are also vulnerable, not just patient devices. The infected CMS sample was likely from a real hospital and contained a decades-old worm, suggesting it probably runs a decades-old operating system, is connected to the internet, and is highly susceptible to many other more modern attacks – a major risk considering it controls multiple patient monitors.
Beyond these individual findings, our research reinforces key healthcare cybersecurity challenges. Threats originate both inside and outside HDOs. DICOM remains a high-risk protocol, as discussed in our recent report, due to its extensive use across interconnected hospital systems within hospitals, including regular workstations and medical devices.
To minimize cybersecurity risks and enhance resilience, we recommend the following risk mitigation actions for HDOs:
- Identify and classify every asset
HDOs must often contend with medical devices running legacy operating systems, making them inherently vulnerable to attacks. HDOs must first identify and classify all connected devices to assess their risk exposure. Devices that cannot be retired or patched should be segmented appropriately to restrict access to only critical information and services. - Limit external communications and implement effective segmentation
Network flow mapping is essential for designing effective segmentation zones separating IT, IoT, OT and IoMT devices. Mapping communications not only helps create segmentation zones but also provides insight into external and internet-facing connections. This approach can identify unintended external communications, helping to prevent unauthorized access and lateral movement within the network. - Monitor all network traffic and endpoint telemetry for threat detection
Network packets may contain malicious payloads, including attempts to exploit vulnerabilities or drop malware on healthcare systems. Endpoint telemetry can reveal the presence of malicious files or anomalous system behavior. Correlating network and endpoint signals allows defenders to detect and respond to threats faster and more effectively.
IoCs
IoC | Description |
---|---|
d7a79484965a3425c2ab4750d1283e80f9903b023f65aed347f0329818189d2d | Floxif infected Siemens syngo fastView |
3bb1a8ef950e79184585eff7c44f15b6cbef66d90c128a69070e2ca0b2db50f6 | Floxif infected Siemens syngo fastView |
b2fc6d4e65e42174c09fb2d3ff902e7e31408fe36617e3e53c543418f3a9fc21 | Floxif infected Siemens syngo fastView |
975b9b27760f8b6db9874c6c74e7eee9122e7c8cd663f7212acc4a9edaf8222b | Floxif infected Siemens syngo fastView |
178a0b90512f4013a7c6577e4595a89e5d8d6f8c8a85f672424dffa6c79d776f | Floxif infected Siemens syngo fastView |
94951a1f9830d7a97286b5cc5a9b01b12c143e5c6d7aa9226642ed6507ab9d12 | Floxif infected Siemens syngo fastView |
a545d8993f069a237627c8fbcad60629404d61460efcdf084a8d276a90c57258 | Floxif infected Siemens syngo fastView |
d953b7cd781a0a3c31b8770b3179bdd1612f4ac058f8f78f2934c914457def92 | Floxif infected Siemens syngo fastView |
7fb44d3a60fedc6c9eb00bf51316d07aadf7e4062495ec917605b04c0b966db5 | Floxif infected Siemens syngo fastView |
a614796e796b3691a6c4175082d4d42246ebb0d36ac7bab311b3964f54749e4e | Floxif infected Siemens syngo fastView |
38b61236407f4f28ee4d5b7798d1d6f5f3fc8cf937b9fc54c07d75464810ebc3 | Floxif infected Siemens syngo fastView |
8c570534b77d41bcacf1d2ecc7aec75c4ece59a80f0241f450a72e7de89c35c1 | Floxif infected Siemens syngo fastView |
6f91a07e48d01858ee308ef430c6dae3694d540687c2341e427b340dbfd31c32 | Floxif infected Siemens syngo fastView |
9363f5e74acfccc83762e17076ce18e4079430dca2352a4d37a210303380e23c | Floxif infected Siemens syngo fastView |
975ab3b9b306cada378bed98b68368cbf389c718767b91fde67df154c1e6417c | Floxif infected Siemens syngo fastView |
61f640364ab398db7d32c87585481d3b34578324491c6070cc45d2ddd2faea1d | Floxif infected Siemens syngo fastView |
29b30fd8e8dfe1308df164298b6dee16960c7f5b8cd70098ef542a8506c91ece | Floxif infected Siemens syngo fastView |
e375646b471b137a9c65a444acc4d50153600e6d6cd0e995d7d569b05791bfce | Floxif infected Siemens syngo fastView |
3d6a6cfb19e1e1a9cf8c9cd56b7477ecfed2de3acacd7b90345b3eba6c324ac8 | Floxif infected Siemens syngo fastView |
447a3b7a4b549fd237e31b4a833466690dfa75c12104e6d5bdac80d6c321336a | Fujacks infected Mindray CMS |
9z9t[.]com | Domain name used by Fujacks |
daohang08[.]com | Domain name used by Fujacks |
d6155a83e85dad5f8e66267c99bc6152dff5a5f53ec67ccd3b8cf1f1a0193b73 | Botnet abusing GE Healthcare MUSE credentials |
97f71348c5ebc187091ec61860110473ab4f2ca78dcae9890e5fbec5c45ad4be | Botnet abusing GE Healthcare MUSE credentials |
141.98.11[.]96 | Downloader IP address for botnet abusing GE Healthcare MUSE credentials |
91.234.99[.]177 | Downloader IP address for botnet abusing GE Healthcare MUSE credentials |
185.244.25[.]200 | C2 IP address for botnet abusing GE Healthcare MUSE credentials |
185.244.25[.]202 | C2 IP address for botnet abusing GE Healthcare MUSE credentials |
stresser[.]pw | Domain name used by botnet abusing GE Healthcare MUSE credentials |