Current Malware Threats Targeting the Healthcare And Public Health (HPH) Sector

Over the past few months the below malware threats have been targeting the Healthcare and Public Health (HPH) sector. The Health Sector Cybersecurity Coordination Center (HC3) has developed a series of Sector Notes which provide overviews of these threats along with Indicators of Compromise (IOCs) or Tactics, Techniques, and Procedures (TTPs), where applicable. 

LokiBot Malware Threat to Healthcare, June 16, 2020
Lokibot is an information stealer; the main functionality of its binary is to collect system and application credentials and user information to send back to the attacker.

Pony/Fareit Malware: A Growing Threat to the Healthcare and Public Health Sector, June 16, 2020
Pony malware, also known as Fareit, Classified by Trend Micro as a Trojan-Spyware, this crimeware is primarily used to steal user and File Transfer Protocol (FTP) credentials and passwords, download other payloads, and bring compromised systems into a botnet.

Remcos-RAT, June 16, 2020
Remcos RAT, or remote access tool, is a legitimate application intended for use by administrators for remote access and maintenance. It has recently been used as part of attempted cyberattacks, leveraging COVID-related phishing themes to disguise it as part of the payload.

Remote Access Trojan “Agent Tesla” Targets Organizations with COVID Themed Phishing Attacks, June 16, 2020
Agent Tesla is an established Remote Access Trojan (RAT) written in .Net. A successful deployment of Agent Tesla provides attackers with full computer or network access; it is capable of stealing credentials, sensitive information, keystrokes, screen and video activity, and form-grabbing.

Formbook Malware Phishing Campaigns, June 16, 2020
Formbook is an information stealing malware, also known as “form grabber” malware. The malware is installed on victims’ computers when they visit malicious websites or domains.

Dridex Malware A Growing Threat to the HPH Sector, June 16, 2020
Dridex was originally developed as a financial Trojan that makes initial contact with its victims via phishing email campaigns and is one of the most prevalent malwares in use today. While Dridex has historically been used in attacks on the financial sector, researchers at ESET determined that the developers of Dridex were also behind the development of the ransomware known as BitPaymer.

Ursnif Malware, June 16, 2020
Ursnif (aka Gozi, Gozi-ISFB, Dreambot, Papras) is a modified modular banking malware with backdoor capabilities. The latest source code was leaked to GitHub in February 2015 and its capabilities include intercepting and modifying browser traffic (i.e. web injects), file download and upload, establishing a SOCKS proxy, system restart and shutdown, system information gathering, and a domain generation algorithm (DGA).

Romate Access Trojan Nanocore Poses Risk to HPH Sector, June 16, 2020
Nanocore is a particularly sophisticated Remote Access Trojan (RAT) that has been used by criminals to gain complete control over victim’s devices, including logging keystrokes and screen activity, manipulating private files and sensitive data, controlling surveillance systems like the webcam and microphone, and harvesting credentials that can be exploited by the criminal or resold.

Related Resources

As a member of the Healthcare and Public Health Sector, you play a significant role in national security by protecting the nation and its economy from hazards…
Agent Tesla is an established Remote Access Trojan (RAT) written in .Net. A successful deployment of Agent Tesla provides attackers with full computer or…
Webinar Recordings
The U.S. Department of Health and Human Services’ (HHS) Health Sector Cybersecurity Coordination Center (HC3) invites you to join its monthly cybersecurity…
Working from Home during COVID-19 Pandemic During the COVID-19 pandemic, many physicians are working from home, using their personal computers and mobile…
Mozilla Patches Critical Vulnerabilities in Firefox, Firefox ESR 04/03/2020 04:45 PM EDT Original release date: April 3, 2020 Mozilla has released security…
Special Bulletin
A recent campaign of cyberattacks from a foreign threat actor targeted healthcare organizations and specifically exploited Citrix and Zoho technologies used…