Current Malware Threats Targeting the Healthcare And Public Health (HPH) Sector

Over the past few months the below malware threats have been targeting the Healthcare and Public Health (HPH) sector. The Health Sector Cybersecurity Coordination Center (HC3) has developed a series of Sector Notes which provide overviews of these threats along with Indicators of Compromise (IOCs) or Tactics, Techniques, and Procedures (TTPs), where applicable. 

LokiBot Malware Threat to Healthcare, June 16, 2020
Lokibot is an information stealer; the main functionality of its binary is to collect system and application credentials and user information to send back to the attacker.

Pony/Fareit Malware: A Growing Threat to the Healthcare and Public Health Sector, June 16, 2020
Pony malware, also known as Fareit, Classified by Trend Micro as a Trojan-Spyware, this crimeware is primarily used to steal user and File Transfer Protocol (FTP) credentials and passwords, download other payloads, and bring compromised systems into a botnet.

Remcos-RAT, June 16, 2020
Remcos RAT, or remote access tool, is a legitimate application intended for use by administrators for remote access and maintenance. It has recently been used as part of attempted cyberattacks, leveraging COVID-related phishing themes to disguise it as part of the payload.

Remote Access Trojan “Agent Tesla” Targets Organizations with COVID Themed Phishing Attacks, June 16, 2020
Agent Tesla is an established Remote Access Trojan (RAT) written in .Net. A successful deployment of Agent Tesla provides attackers with full computer or network access; it is capable of stealing credentials, sensitive information, keystrokes, screen and video activity, and form-grabbing.

Formbook Malware Phishing Campaigns, June 16, 2020
Formbook is an information stealing malware, also known as “form grabber” malware. The malware is installed on victims’ computers when they visit malicious websites or domains.

Dridex Malware A Growing Threat to the HPH Sector, June 16, 2020
Dridex was originally developed as a financial Trojan that makes initial contact with its victims via phishing email campaigns and is one of the most prevalent malwares in use today. While Dridex has historically been used in attacks on the financial sector, researchers at ESET determined that the developers of Dridex were also behind the development of the ransomware known as BitPaymer.

Ursnif Malware, June 16, 2020
Ursnif (aka Gozi, Gozi-ISFB, Dreambot, Papras) is a modified modular banking malware with backdoor capabilities. The latest source code was leaked to GitHub in February 2015 and its capabilities include intercepting and modifying browser traffic (i.e. web injects), file download and upload, establishing a SOCKS proxy, system restart and shutdown, system information gathering, and a domain generation algorithm (DGA).

Romate Access Trojan Nanocore Poses Risk to HPH Sector, June 16, 2020
Nanocore is a particularly sophisticated Remote Access Trojan (RAT) that has been used by criminals to gain complete control over victim’s devices, including logging keystrokes and screen activity, manipulating private files and sensitive data, controlling surveillance systems like the webcam and microphone, and harvesting credentials that can be exploited by the criminal or resold.

Related Resources

Letter/Comment
AHA Responds to CISA Proposed Rule on Cyber Incident Reporting Requirements
Public
Advisory
HHS Issues Alert on Critical Vulnerability in ‘MOVEit,’ File Transfer Platform Used by Health Care Sector
Public
Special Bulletin
AHA Helps Secure New Cybersecurity Resources from Microsoft and Google to Assist Rural Hospitals
Public
Advancing Health Podcast
How to Survive a Cyberattack with Scripps Health: Part Two
Public
Special Bulletin
HHS Authorizes UnitedHealth Group to Make Breach Notifications on Behalf of Providers
Member
Advancing Health Podcast
How to Survive a Cyberattack with Scripps Health: Part One
Public