Malware Can Hide Within DICOM Medical Images

It has been found that malware can now hide within DICOM medical images. These are the type of images that doctors look at when they do XRay, CT or MRI scans. 

The analysis named Markel Picado Ortiz was able to take advantage of the DICOM flaw which allows the “128-byte section at the beginning of the file, called the preamble” to be injected with malware. 

“By mixing in with protected health information malware can effectivelyexploit the data’s clinical and regulatory implications to evade detection and derail remediation attempts while creating a host of new concerns for security teams, healthcare organizations, and antivirus companies in the process,” Ortiz wrote.

“This vulnerability stands apart as one whose technical potency is derived from not just a software design flaw, but from the clinical and regulatory environment as well,” he added.

If hackers were to exploit the design flaw in DICOM, they’d be able to take advantage of the primary location of the stored images. Ortiz explained that in doing so, they’d be able to more easily distribute other malware, launch multi-stage attacks, and evade detection.

“The fusion of fully-functioning executable malware with HIPAA-protected patient information adds regulatory complexities and clinical implications to automated malware protection and typical incident response processes in ways that did not previously need to be considered,” Ortiz wrote.

“The most obvious use of this flaw is to embed malware inside DICOM images to increase stealth and evade detection,” Ortiz wrote. “There will not be any artifact ‘.exe’ files, as PE/DICOM images can maintain their ‘.dcm’ file extension and still be executed, which makes detection more difficult for analysts and response teams.”

“Further, when an analyst inspects the file, it will open the original DICOM image and display the clinical information as it was pre-infection, giving the initial impression that the file is innocent,” he added. “The malware is essentially cloaking itself in DICOM data.”


The effects on an organization using DICOM is extreme. As this bug also allows the hackers to evade antivirus and allows the malware to be used as a multi-prong attack when administrators and analysts open up the files.

“While the DICOM standard intends for the field to be used to enable compatibility with non-DICOM image viewers, such as JPG and TIFF images, the standard does not impose any structural requirements on the data inserted into the Preamble,” he added.  

Currently there is no fix for this vulnerability and it may be best to move to a product that uses JPG or TIFF to evade this issue.  

Discover more from Patrick Domingues

Subscribe to get the latest posts sent to your email.

author avatar
Patrick Domingues

Leave a Comment

Stay Informed

Receive instant notifications when new content is released.