{
	"id": "3f1374b0-98f6-474c-a7b3-4fcad2b7720b",
	"created_at": "2026-04-06T00:19:25.027271Z",
	"updated_at": "2026-04-10T03:21:30.15125Z",
	"deleted_at": null,
	"sha1_hash": "17a29eba6a48b78186a512d0e59caa1aa46be022",
	"title": "Information Stealer Found Hitting Israeli Hospitals",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 89815,
	"plain_text": "Information Stealer Found Hitting Israeli Hospitals\r\nBy Trend Micro ( words)\r\nPublished: 2017-06-29 · Archived: 2026-04-05 21:39:10 UTC\r\nThe abuse of shortcut (LNK) files is steadily gaining traction among cybercriminals. We’ve seen a plethora of\r\nthreats that leverage malicious LNK files: from well-known ransomware families, backdoors typically deployed in\r\ntargeted attacks, and banking Trojans to spam emails, even an exploit to a LNK vulnerability itself. These threats\r\nare usually exacerbated by the further abuse of legitimate tools such as PowerShellnews article, or script\r\nautomation utility AutoIt. It’s thus not surprising that we discovered an information stealer employing LNK files,\r\nwhich our sensors detected in Israeli hospitals.\r\nHealthcare is considered a cybercriminal cash cownews article, as it can be a lucrative source of personally\r\nidentifiable information that can be monetized in underground marketplaces. Initial findings revealed that any\r\nbrowser-based information, e.g., login credentials, can be stolen, making the use of browser-based management\r\nsystems and applications important.\r\nWe have observed its attempts to gain footholds in the systems and the local networks’ shared folders. Another\r\nnotable aspect we’re seeing so far is the combination of worm propagation and stealth capabilities.\r\nOur monitoring and analyses are still ongoing and we will update this post as we find more details about the\r\nthreat. Here’s what we know so far:\r\nPropagation via worm. Initial analysis of the malware indicates it propagates via a worm. It creates copies of\r\nitself, including shortcut files, a non-malicious AutoIt executable, and a malicious AutoIt script into the affected\r\nsystem’s root directory, i.e., C:\\WinddowsUpdated\\\u003cfile copy\u003e.\r\nMasquerades as a Windows updater. The shortcut files pose as browser and Windows updaters, a web 3D\r\ncreation tool, and links to the system’s Downloads and Games folder.\r\nExecution via AutoIt. AutoIt is a legitimate scripting language software/executable designed to automate tasks\r\n(i.e., macros) for several programs in Windows. However, it’s known to be abused for wrapping various remote\r\naccess trojans (RAT). In this case, a legitimate AutoIt executable is used to run a secondary file that contains the\r\nmalicious commands. We’ve actually seen a similar threat in the form of the IPPEDO worm (WORM_IPPEDO.B)\r\nback in 2014.\r\nIt gathers system information. The malware executes a command to retrieve system information via\r\nC:\\WINDOWS\\system32\\cmd.exe /c SystemInfo.\r\nThe LNK files are spawned on the affected machines. The LNK files are embedded with these malicious\r\ncommands:\r\ncmd.exe /c start ..\\WinddowsUpdateCheck\\WinddowsUpdater.exe\r\n\"..\\WinddowsUpdateCheck\\WinddowsUpdater.zip\" \u0026 exit\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/\r\nPage 1 of 4\n\nThe threat appears to be a highly obfuscated information stealer. The samples we are currently analyzing were\r\nhighly obfuscated, with payloads hidden under layers of encryption, for instance. The packages we saw each\r\ncontain malicious 4 LNK files. These LNK files will issue commands leading to AutoIt’s execution of .TNT and\r\n.EXE files. Based on the behavior we’ve observed so far, it appears it conducts browser-based information theft\r\nand records keystrokes. This actually makes sense given the sensitive nature of the information that goes through\r\nhealthcare organizations.\r\nAs the threat landscape continues to mature and diversifypredictions, the IT/system administrators and\r\ninformation security professionals that secure organizations should do the same. Among these countermeasures:\r\npatch and keep the system updated, enforce the principle of least privilege, secure the gateways to reduce attack\r\nsurface, and implement defense in depth by arraying multilayered security mechanisms—from endpointsproducts,\r\nnetworksproducts, and serversproducts.\r\nIndicators of Compromise (IoCs)\r\n01e03241c42b12381e5c3ceb11e53f6c5c6bf0fa — WORM_RETADUP.A\r\n1186e8d32677f6ac86a35704c9435ccd9ffa8484 — WORM_RETADUP.A\r\n479dcd0767653e59f2653b8d3fcddb662a728df4 — LNK_RETADUP.A\r\n580ff21d0c9d8aeda2b7192b4caaccee8aba6be4 — LNK_RETADUP.A\r\n5f32f648610202c3e994509ca0fb714370d6761d — LNK_RETADUP.A\r\n63ac13c121e523faa7a4b871b9c2f63bea05bbff — LNK_RETADUP.A\r\n68d90647cf57428aca972d438974ad6f98e0e2b2 — LNK_RETADUP.A\r\nce1b01eccf1b71d50e0f5dd6392bf1a4e6963a99 — LNK_RETADUP.A  \r\nUpdate as of June 29, 2017, 2:00 PM (PDT)\r\nFurther analysis of the threat reveals that the malware is delivered as an executable file that is bundled with an\r\nidentically-named file masquerading as another file type. For example, the file named WinddowsUpdater.exe\r\ncomes with a file named WinddowsUpdater.zip. While the .EXE file is a legitimate AutoIt file, the alleged .ZIP file\r\nis actually an encrypted data file that contains the actual payload. This is the reason why the above mentioned\r\nLNK files use a command line to run the executable with only one argument, which is the same the name of the\r\npayload file. Looking into its code, the malware contains the following strings, which may indicate that it attempts\r\nto gather system information of affected machines:\r\n@ComputerName\r\n@UserName\r\n@LogonDomain\r\nDriveGetSerial(\"C:\")\r\n@IPAddress1\r\nEnvGet(\"OS\")  and other os related strings\r\n@OSLang\r\n@OSVersion\r\n@OSBuild\r\nIt also connects to the following domain via HTTP:\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/\r\nPage 2 of 4\n\nhxxp://palestineop[.]com/myblog/user\r\nBy digging further, we found out that this domain appears to have been registered in November 2016, and that\r\nthere is evidence that a phishing page has been hosted in the root folder of the domain just a few days after it was\r\nregistered. The said phishing page, which entices users to click on a link that will supposedly lead them to Yahoo!\r\nMail service, will instead point to the following URL:\r\nnewsofpalestine[.]com/newss/gsan\r\nThis second URL was already down when we tried to access the page. However, we managed to find evidence\r\nthat that the domain used to host some news content in the past while also storing some malware. Thus, we\r\nstrongly believe that the page hosted at newsofpalestine[.]com/newss/gsan must have also been a phishing page\r\ndesigned to retrieve email credentials.\r\nWe will continue to update this post as we uncover more details about this threat.  \r\nUpdate as of June 30, 2017, 4:05 AM (PDT)\r\nAdditional analyses indicate the main malware to be a backdoor (WORM_RETADUP.A) in the form of a worm.\r\nIt’s quite unique in that most remote access Trojans/backdoors deployed in these kinds of attacks often require the\r\nhelp of other malicious components in order to propagate.\r\nRETADUP’s backdoor routines include:\r\nDownloading files\r\nConnecting to URLs/command and control (C\u0026C) servers\r\nOpening command-line (cmd) to execute commands\r\nInstalling a keylogger\r\nTaking screenshots\r\nExtracting passwords from web browsers Mozilla Firefox, Opera, and Google Chrome\r\nStarting, terminating, and restarting processes\r\nIssuing sleep command within a specified time\r\nShutting down, restarting, and logging off the machine\r\nDisplaying a message in a dialogue box\r\nUpdating a copy of itself from a specific Uniform Resource Identifier (URI) location via C\u0026C\r\ncommunications\r\nRe-executing a copy of itself\r\nRETADUP is also notable for its stealth. It has a checklist of antivirus (AV) products, script file names, analysis,\r\nforensics, and debugging tools as well as sandboxes and virtual machines. It self-destructs if any of these are\r\ndetected by the malware. Its propagation routine entails dropping copies of itself in all drives, including all\r\nexisting folders in removable media.\r\nInterestingly, it also checks for the presence of certain LNK files related to online payment and money remittance,\r\nindicating the malware may also be stealing information from those sites:\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/\r\nPage 3 of 4\n\nC:\\WinddowsUpdateCheck\\ebay.lnk\r\nC:\\WinddowsUpdateCheck\\hamazon.lnk\r\nC:\\WinddowsUpdateCheck\\hebay.lnk\r\nC:\\WinddowsUpdateCheck\\hmoneygram.lnk\r\nC:\\WinddowsUpdateCheck\\hpaypal.lnk\r\nC:\\WinddowsUpdateCheck\\hpayza.lnk\r\nC:\\WinddowsUpdateCheck\\hskrill.lnk\r\nC:\\WinddowsUpdateCheck\\hukash.lnk\r\nC:\\WinddowsUpdateCheck\\hwestern union.lnk\r\nC:\\WinddowsUpdateCheck\\moneygram.lnk\r\nC:\\WinddowsUpdateCheck\\paypal.lnk\r\nC:\\WinddowsUpdateCheck\\skrill.lnk\r\nC:\\WinddowsUpdateCheck\\ukash.lnk\r\nC:\\WinddowsUpdateCheck\\western union.lnk\r\nUpdate as of July 4, 2017, 9:50 PM PDT\r\nRETADUP’s original codes resemble another malware, ROWMANTI (WORM_ROWMANTI.B), which emerged\r\nin 2015 sporting similar capabilities as RETADUP’s. ROWMANTI, in turn, appears to be derived from the\r\nIPPEDO worm that surfaced a year earlier.\r\nUnderground conversations and code exchanges also know it as “rad worm”, released as a “final pack” in 2014\r\nand was using a Visual Basic Script-based RAT (DUNIHI) controller that was modified to support “rad-worm”\r\n(IPPEDO). We’ve seen later versions but found that they were simply re-uploads of this “final pack” with\r\npredefined C\u0026C servers rather than the default “Your Domain Here” string.\r\nintelSnapshot of the controller; it only works with IPPEDO because the initial communication protocol has\r\nbeen changed for ROWMANTI and RETADUP.\r\nThe network protocols of the three malware look alike. ROWMANTI and RETADUP’s protocols are similar, for\r\ninstance, but IPPEDO—their predecessor—uses a different separator and keyword at the start of the protocol.\r\nAnother notable difference is that IPPEDO’s communication is in plain text, while ROWMANTI and\r\nRETADUP’s are encoded in Base64. They also differ in their use of separators and starting string for their initial\r\nphone-home communications.\r\nThe C\u0026C servers used by ROWMANTI in 2015 also contain the string “rad”, which is the original name of the\r\nmalware used by their developers. We also saw an underground forum post from 2015 showing a code snippet of\r\nthe Domain Generating Algorithm (DGA) section of the worm (by a different malware author), but this DGA code\r\nis present only in RETADUP. This indicates that while the codes of RETADUP originated from the “rad-worm”, it\r\nalso integrated codes from other malware authors.\r\nSource: http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/"
	],
	"report_names": [
		"information-stealer-found-hitting-israeli-hospitals"
	],
	"threat_actors": [],
	"ts_created_at": 1775434765,
	"ts_updated_at": 1775791290,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/17a29eba6a48b78186a512d0e59caa1aa46be022.pdf",
		"text": "https://archive.orkl.eu/17a29eba6a48b78186a512d0e59caa1aa46be022.txt",
		"img": "https://archive.orkl.eu/17a29eba6a48b78186a512d0e59caa1aa46be022.jpg"
	}
}