Sophisticated new ResolverRAT malware targeting healthcare and pharmaceutical sectors
The RAT loads in memory only and tries hard to persist on infected endpoints.
- Security researchers spot a new trojan called ResolverRAT
- It comes with advanced obfuscation and persistence mechanisms
- It targets healthcare and pharma organizations around the world
There is a brand new Remote Access Trojan (RAT) making rounds on the internet, infecting organizations around the world working in healthcare and pharmacy.
Cybersecurity researchers Morphisec Labs named it ResolverRAT, and while it comes with advanced obfuscation and stealth evasion techniques, its distribution is rather ordinary.
The attack starts with the usual phishing email, scaring the victim into making a rash, reckless decision. The attackers localize the emails, in an attempt to improve infection rates, but are still casting a relatively wide net. With that in mind, the researchers found phishing emails in Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian.
Monitor your credit score with TransUnion starting at $29.95/month
TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.
Preferred partner (What does this mean?)View Deal
Social disorder
The attachment is being deployed via side-loaded DLL files which, if triggered, drop a loader directly into the memory. The loader, in turn, deploys the final malware payload - also only in memory.
But that’s not the only way ResolverRAT tries to fly under the radar. It uses both encryption and compression and goes the extra mile to persist on the target endpoints.
"The ResolverRAT's initialization sequence reveals a sophisticated, multi-stage bootstrapping process engineered for stealth and resilience," the researchers said, adding that it "implements multiple redundant persistence methods" through Windows Registry.
Ultimately, ResolverRAT installs itself in different locations across the computer.
Other notable features include using certificate-based authentication to bypass root authorities, an IP rotation system to connect to different C2 servers, certificate pinning, source code obfuscation, and more.
"This advanced C2 infrastructure demonstrates the advanced capabilities of the threat actor, combining secure communications, fallback mechanisms, and evasion techniques designed to maintain persistent access while evading detection by security monitoring systems," Morphisec said.
The last time the campaign was observed in the wild was in mid-March this year, which could suggest that it’s still ongoing.
The threat actors deploying ResolverRAT could be the same ones dropping Lumma and Rhadamanthys, since the same deployment mechanisms were seen in all cases. It could also mean that the groups were simply using the same phishing kit.
Via The Hacker News
You might also like
- Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
![How to Find Low-Competition Keywords with Semrush [Super Easy]](https://static.semrush.com/blog/uploads/media/73/62/7362f16fb9e460b6d58ccc09b4a048b6/how-to-find-low-competition-keywords-sm.png)
