HIPAA-Protected Malware? Misusing DICOM Flaw to Embed Malware in CT/MRI Imagery

Jun 04, 2019
Posted by
Cyber Security

Cylera found an imperfection in DICOM, a 30-year-old standard used to trade and store medical pictures, which would give an attacker a chance to embed malevolent code into medicinal gadget picture records.

DICOM medical device cybersecurity vulnerability

April 18, 2019 – Cylera security specialist Markel Picado Ortiz as of late found a powerlessness in the DICOM picture group, a 30-year-old standard used to trade and store medicinal pictures, that would enable a programmer to introduce malevolent code into the imaging records to contaminate persistent information.

The examination uncovered the bug would enable an adversery to embed completely working, executable code into imaging documents, similar to those from CT and MRI machines, bringing about cross breed records that would permit malware to hole up behind HIPAA-consistent pictures. Furthermore, the malevolent demonstration would not adjust the first patient information.

Suppliers would almost certainly use and trade these pictures inside the training and to different gatherings, without realizing the pictures were tainted.

“By blending in with ensured wellbeing data malware can successfully misuse the information’s clinical and administrative ramifications to dodge recognition and wreck remediation endeavors while making a large group of new worries for security groups, social insurance associations, and antivirus organizations all the while,” Ortiz composed.

“This weakness stands separated as one whose specialized strength is gotten from a product configuration blemish, however from the clinical and administrative condition too,” he included.

If hackers were to exploit the design flaw in DICOM, they’d be able to take advantage of the imagery’s centralization within a health organization. Ortiz explained that in doing so, they’d be able to more easily distribute other malware, launch multi-stage attacks, and evade detection.

“The combination of completely working executable malware with HIPAA-ensured persistent data includes administrative complexities and clinical ramifications to mechanized malware assurance and run of the mill episode reaction forms in manners that did not beforehand should be considered,” Ortiz composed.


According to the analysis, DICOM has a proof-of-concept exploit, with a 128-byte area header toward the start of the document, or the Preamble. The Preamble is intended to encourage picture access and metadata of the DICOM picture and can be utilized to empower similarity with applications ignorant of DICOM.

“The record Preamble may for instance contain data empowering a multi-media application to arbitrarily get to pictures put away in a DICOM Data Set,” Ortiz composed. “A similar document can be gotten to in two different ways: by a media application utilizing the prelude and by a DICOM Application that overlooks the introduction.”

“While the DICOM standard means for the field to be utilized to empower similarity with non-DICOM picture watchers, for example, JPG and TIFF pictures, the standard does not force any auxiliary prerequisites on the information embedded into the Preamble,” he included.

Accordingly, Ortiz clarified that any self-assertive arrangement using 128 or less bytes can be embedded without modifying the conformance of the picture document. What’s more terrible, the bug can be manhandled by programmers to disguise DICOM documents as disconnected record positions.

“As the header of a PE record can be created to fit inside 128 bytes, assailants can embed full PE headers and make the DICOM document have all the earmarks of being an executable,” Ortiz composed. ” it isn’t just conceivable to make a DICOM picture seem, by all accounts, to be an executable document, however to completely install a working executable into a DICOM picture while saving the capacity of the record to both be executed by the working framework.”

“[The flaw] is available in a human services explicit convention that can be found inside for all intents and purposes each medicinal services conveyance association,” he included. “Its properties enable assailants to build stealth, spread, and by and large viability of malware battles by misusing a specialized blemish, yet the idea of the clinical and administrative setting of the ePHI it contaminates.”

Be that as it may, an assailant would need legitimate Active Directory qualifications or consents to execute directions remotely. Ortiz included that: “It’s normal to have shared certifications for gadgets, a shortcoming that has been misused in cases, for example, the Kwampirs crusades by the Orangeworm Group that focused medicinal services associations.”


The PE/DICOM vulnerabilities empowers attackers to cover up malware inside DICOM pictures while protecting both the capacity to execute the malware and the legitimacy of the DICOM record and related patient information. While the clinical and administrative implications are most intriguing the issue has cyber security-related effect too. It empowers new and existing malware to advance into increasingly intense variations, improved for fruitful trade off of human services associations, by utilizing the contaminated patient information to conceal, secure, and spread itself – three of the essential capacities that decide the viability of a malware battle.

Avoidance: The most clear utilization of this flaw is to implant malware inside DICOM pictures to expand stealth and dodge identification. There won’t be any curio “.exe” documents, as PE/DICOM pictures can keep up their “.dcm” record augmentation and still be executed, which makes location progressively troublesome for investigators and reaction groups; further, when an examiner reviews the record, it will open the first DICOM picture and show the clinical data as it was pre-contamination, giving the underlying impression that the record is guiltless. The malware is basically shrouding itself in DICOM information.

The defect likewise empowers avoidance of A/V in addition to human experts and framework directors. Medicinal gadget producers and human services associations frequently arrange hostile to malware EDR programming to overlook restorative symbolism and records containing ensured wellbeing data. As PE/DICOM records can be executed without evolving the “.dcm” document expansion and protect the honesty of the DICOM group they could avoid computerized identification components in such setups. Some more fragile A/V programming may decide to not examine DICOM documents by and large as they don’t seem, by all accounts, to be executable.

Spread: Better evasion implies better overall spread. Another intriguing probability is an attempt to propagate malware as a component of a multi-arrange assault by “piggybacking” on clinical work processes that involve the exchange of DICOM symbolism. Focal storehouses of DICOM documents, for example, the PACS, could give a solitary disease point that could multiply the malware-contaminated picture to a substantial number of clinical gadgets as patient data is pulled and put away over the span of patient conclusion and treatment. These tainted PE/DICOM pictures would then be actuated by a second-arrange assault that would need to execute the PE/DICOM malware documents, an errand which is considerably more prone to sidestep identification on the recently contaminated hosts and in this way augments spread potential.

Imaging results are shared inside a solitary association as well as between associations with cover in patients treated. Patients will once in a while look for authorities who are specialists specifically spaces that are not dealt with by their nearby medicinal services association. Contaminated records could be exchanged to the new association as a major aspect of a counsel, along these lines spreading infected DICOM documents between offices inside an association, however crosswise over authoritative limits and into totally random social insurance associations. The malware viably “pursues” the patient from association to association.

Persistence: Malware that misuses the PE/DICOM defect effectively fuses patient data and malware. When this happens incident response team and A/V software can’t erase the malware document as it contains protected patient health data. Response teams and A/V software that are uninformed the record contains persistent data could possibly annihilate quiet data in the moderation procedure. Response teams and A/V software that know the record contains tolerant data are left in a troublesome circumstance where they should adjust cyber security, clinical, and administrative hazard as they react to malware that is adequately utilizing patient information as a shield.

The change from absolutely cyber security-related worries to administrative results and clinical complexities are a part of PE/DICOM that makes it so extraordinary. Its adequacy stems not simply from an issue in the DICOM document position, yet from the clinical and administrative ramifications of the information it contaminated. At the point when seen from this viewpoint an altogether new arrangement of effects become clear.


The combination of malware and patient data realizes second-and third-order impacts that extend beyond the typical cyber security-related damages achieved by malware diseases. These effects make worries for security groups, healthcare associations, patients, and A/V organizations that were not ordinarily considered already.

From the point of view of healthcare system administrations and security groups, PE/DICOM malware acquaints new difficulties with occurrence reaction forms. Groups can’t transfer the suspected malware to regular cloud-based malware investigation arrangements, for example, VirusTotal, without sacrificing the secrecy of the patient information contained inside the picture. Groups can’t erase the malware records without the hazard that they will erase HIPAA-ensured understanding data. Groups can’t deny access to the recovery and review of the record so as to contain the malware without the hazard that they will obstruct clinical tasks that expect access to the patient’s imaging information for treatment.

In the event that a group is unaware that the malware is in fact a PE/DICOM file then they can inadvertently cause these damages by following typical incident response playbooks. In the event that a group knows that the file is a PE/DICOM document yet does not realize how to appropriately deal with it they can wind up in a stop as they balance quiet privacy, accessibility of medicinal data, and control of dynamic malware. Would it be a good idea for them to enable the picture to be shared among different frameworks and clinicians amid clinical consideration regardless of the way that it contains malware?

From the point of view of antivirus organizations the worries and stakes are largely analogous. Items that consequently transfer suspicious records to the cloud will start transferring DICOM information containing shielded health data from influenced associations, like the allegations against Kaspersky that came about their boycott in the United States. In the event that the product distinguishes PE/DICOM malware and erases the document it can unintentionally erase persistent data; if the product chooses to isolate the record it can bargain the accessibility of the clinical data.

A/V software that is unconscious of this flaw could incidentally bargain persistent classification, erase patient data, or disturb clinical work processes through average computerized reaction and remediation forms. While client configurable strategies may give a harsh methods for enabling associations to manage this issue, A/V softwares ought to preferably perceive the circumstance and play out a remediation procedure custom fitted to PE/DICOM documents.

The common theme through these situations is that the patient is, in some structure, the collateral damage. Regardless of whether it is patient data being spilled because of inappropriate incident response or a patient’s care being postponed because of mechanized erasure or isolating of their contaminated sweep results, some portion of the defect’s utility to an assailant depends on the supposition that associations will organize ensuring patients.

These issues and elements are a piece of the PE/DICOM weakness itself: they are the reasons why the flaw empowers malware to work all the more adequately. The way that they wreck the occurrence reaction and measurable examination forms is the expected motivation behind the malignant entertainer’s utilization of the weakness. Notwithstanding, there are extra auxiliary effects that rise because of the setting of the information being tainted.

For instance, if a DICOM document has been altered by a noxious actor, would it be a good idea for it to in any case be utilized for patient care in the first place? Would an association have any affirmation that the patient information was not unexpectedly or purposefully altered by the disease procedure?

As another model, consider malware where the PE/DICOM defect is one of numerous spread strategies. In the event that malware with mechanized engendering components is presently mixed with patient data so as to help avoidance or replication endeavors, at that point tolerant data will currently spread with the malware and by chance break ePHI all the while. An association would not have the capacity to think about a PE/DICOM-related malware episode settled when their inside system is cleaned as the malware may have spread past the border of their system, alongside the DICOM symbolism it had tainted. It would be progressively hard to measure the degree of such a release, considerably less contain it, as the worm kept on reproducing itself on outer frameworks.

Proof of Concepts

PoC 1: PE/DICOM File Creation

As an underlying Proof of Concept we created a PE/DICOM document utilizing a freely accessible anonymized DICOM picture and a basic model program that shows a message box.


Figure 1: The raw files used in the creation of the polyglot file PE/DICOM file along with the output file itself.

SHA256 Type Name
803d67292c4617f4d1348b1549b5743e6821436d3c8652aa7a6954e4b569eb36 DICOM cylera.dcm
25e47f926edc57b21f510b6665d2e6ee6e3b614d88093ad103957e9e46b41c35 PE (EXE) cylera.exe
91a435e706b7070c31794383e856f15a74c247b59434a6b51f908a9bede37b75 PEDICOM pedicom-cylera.dcm

In the accompanying pictures you can see the substance of the documents “cylera.dcm” and “cylera.exe” in their genuine portrayal.


Figure 2: The cylera.dcm file opened with a DICOM image viewer


Figure 3: The cylera.exe file. This program only opens a MessageBox

The “pedicom-cylera.dcm” document is a PE/DICOM record containing both the crude DICOM picture and the executable appeared. As it has the regular “.dcm” DICOM document extension it is opened with the default DICOM picture viewer introduced in our test condition (MicroDicom viewer.) We can see that it is the very same picture as contained in the first “cylera.dcm” file.


Figure 4: The pedicom-cylera.dcm file opened with a DICOM image viewer. The representation of the image is the same as the cylera.dcm image. If this file is run as executable, however, it will appear as the cylera.exe program.

Opening the “cylera.dcm” file with a hexadecimal editor shows the following raw DICOM data:


Figure 5: The contents of cylera.dcm viewed in a hexadecimal editor

Opening the “pedicom-cylera.dcm” document with a hexadecimal proofreader demonstrates the two configurations combined, beginning with the headers of the Windows PE group pursued by information in the DICOM design.


Figure 6: The contents of pedicom-cylera.dcm viewed with a hexadecimal editor. In this image it is possible to see both the PE headers and the DICOM header

In the following image you can see exactly which part corresponds to which file format.


Figure 7: The contents of pedicom-cylera.dcm, with parts corresponding to each file format highlighted.


Figure 8: Once the extension of the file pedicom-cylera.dcm was changed to .exe, double-clicking the file caused the cylera.exe program to run.

The execution of the executable inserted in a PE/DICOM document does not require renaming the record expansion from the standard “.dcm” DICOM augmentation to “.exe”, regardless of whether a DICOM watcher is available on the framework and enlisted as the default application handler for “.dcm” records. This altogether lessens the unpredictability of effective misuse of this imperfection.


Figure 9: The pedicom-cylera.dcm executed from the Windows console (cmd.exe).

Trivial strategies to execute PE/DICOM records include:

“Running” the picture from the Windows Command Prompt as you would run some other executable, as appeared. This fills in as Command Prompt inside utilizations the Create Process function from Windows API, which stacks a PE record into memory and executes it.

Making a one-line batch script that essentially calls the PE/DICOM document, comparable in idea to the past methodology. At the point when the bunch content is double tapped it will execute the PEDICOM picture as a PE.

From another program, call the Create Process API function and give the PE/DICOM picture as the application to be run. The PE/DICOM picture area might be passed as a parameter to this second-arrange executable. This methodology is additionally talked about in the paper.

Normally, changing the document expansion from “.dcm” to “.exe” would enable a client to run the executable from double tapping it. This, in any case, to a great extent invalidates the point and expels the components of stealth and avoidance; the record is currently an executable parallel containing DICOM information rather than a DICOM document containing an executable binary.

PoC 2: Local File Infector

As a Proof of Concept to investigate how the PE/DICOM defect could be utilized by an application to duplicate itself among records on a solitary host we made a paired we named “PeDi2” that finds all DICOM symbolism on the nearby framework and auto-repeats itself utilizing the imperfection.

SHA256 Type Name
d7ac8e740821f761a2f346a8dbb87a117301bba312f749ed48677910dfd5f6dc PE (EXE) PeDi2.exe

The PeDi2 program structure is basic, constrains the field of activity to the current directory, and contains a considerate demo. In the accompanying outline you can see the execution stream:


Figure 10: PeDi2 binary flowchart.

Two important stages can be highlighted: PAYLOAD and INFECTION.

PAYLOAD: There are two exceptional payloads utilized in this stage: one for the underlying paired (“patient zero”) and the other for infected DICOM pictures. These payloads essentially open two (non-malevolent) URLs in the program.

INFECTION: In this stage the paired endeavors to find and taint a DICOM picture (restricted to the ebb and flow index in this example.)


 Figure 11: Files involved in worm’s Proof of Concept.

When it finds a DICOM picture that has not been contaminated previously, it infects it. After infecting the picture, PeDi2 executes the picture as though it were a PE document, starting a chain where this picture will discover, infect, and execute another DICOM picture in the index, which will discover, infect and execute another, and so forth. This procedure is repeated until all DICOM pictures in the current directory are infected.


Figure 12: This image shows the DICOM image 1.dcm running as an executable after being infected by PeDi2.exe.


The specialized issue talked about in this article is brought about by a too much careless prelude in the DICOM picture format. The genuine vulnerability, however, was just mostly characterized by the specialized shortcoming itself; a similarly significant part of the PE/DICOM flaw’s personality is the clinical setting in which the records are utilized and the administrative ramifications of the information they contain.

This is commonly descriptive, in some way or another, of most cyber security dangers presented to social insurance associations and medicinal frameworks. The developing reliance of clinical consideration on system associated frameworks ought to reframe how we consider and comprehend digital dangers and guide how we ensure clinical systems and the patients associated with them. Dangers and related effects must be seen in a multi-dimensional manner, with an attention on potential effects that dwell close to the limit of virtual and physical.

As assaults on healthcare definitely keep on expanding in both volume and complexity it is basic we proactively act to solidify our systems and frameworks, execute hearty observing and discovery components, and advance reaction strategies. Executing security controls to shield from both present and future dangers is our best choice to close the capacity hole among aggressors and protectors. This is the reason considering and planning for vulnerabilities, for example, PE/DICOM is basic. The PE/DICOM flaw isn’t a vulnerability that can be instantly settled by a solitary software patch or an amendment to the DICOM standard. The most clear way ahead is for medicinal services associations to execute fundamental components for discovery of PE/DICOM documents at the network and host levels and enlarge their tooling and procedures to appropriately vaccinate identified records without symptoms. Antivirus arrangements ought to likewise work to make their items PE/DICOM-mindful, with custom discovery and regulat