Chinese Hackers Accidentally Infected European Hospital with Malware

Malicious USB campaign

Check Point analysts found that Chinese hackers in a chain of accidents infected an unnamed European hospital with malware. Researchers attribute this to the uncontrolled spread of malware that is dissiminated by the Chinese hack group Camaro Dragon (aka Mustang Panda, BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta and Red Lich) via USB drives.

The topic of Chinese hackers becomes more and more often guest of newsletter headlines. Some episodes surprise with their cheekiness and insolence – when they managed to use Google infrastructure as C2 servers. But healthcare infrastructure attacks are non-grata even for such daredevils. Cyberattack on a German hostpital lead to patient’s death – most likely, that was out of hackers intentions. For that reason, hackers all over the world agreed to avoid attacking hospitals.

Chinese Camaro Dragon Hackers Attacked Hospital

The Check Point report states that the Camaro Dragon typically attacks targets in Asian countries, and features designed to evade SmadAV, a popular antivirus solution in the region, can be found in the group’s malware code. However, the WispRider and HopperTick malware has infiltrated a European hospital and has also been encountered by researchers in Myanmar, South Korea, the UK, India and Russia.

“Patient Zero” in this incident was identified as a hospital employee attending a conference in Asia. He shared his presentation with other event participants using a USB drive. Unfortunately, one of his colleagues had an infected computer, and as a result, [the victim’s] own USB drive was also infected. Back at his home hospital in Europe, the employee plugged the infected USB drive into the hospital’s computer systems, causing the infection to spread.the researchers say.

Checkpoint believes that the attack begins with the victim launching a malicious launcher written in Delphi on an infected USB drive. This causes the launch of the main payload, which downloads malware onto other drives when they connect to the infected machine. At the same time, it is emphasized that the malware poses a great danger to corporate systems, since infected machines install malware on any newly connected network drives, and not on drives already connected to the machine at the time of infection.

Infection scheme
Scheme of malware injection used by hackers

Researchers are confident that the spread to newly connected network drives is unintentional.

Although network drives infected in this way could theoretically be used as a means of lateral movement within the same network, this behavior seems more like a bug than a deliberately added feature. Managing multiple files and replacing them with an executable file with a USB flash drive icon on network drives is a notable activity that can draw additional and unwanted attention to an attack.the researchers write.

If the malicious code does run, it tries to spread the backdoor and steal data. Due to this, accidental infection of network storages becomes a serious problem, as in many organizations this is where important data is stored.

Another unpleasant feature of this malware is that it “performs DLL-side-loading using security software components, including G-DATA Total Security, and products from two major gaming companies (Electronic Arts and Riot Games).” Checkpoint says it has already warned developers about their unwitting involvement in Camaro Dragon malware companies.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *