Sophisticated new ResolverRAT malware targeting healthcare and pharmaceutical sectors
- Security researchers spot a new trojan called ResolverRAT
- It comes with advanced obfuscation and persistence mechanisms
- It targets healthcare and pharma organizations around the world
There is a brand new Remote Access Trojan (RAT) making rounds on the internet, infecting organizations around the world working in healthcare and pharmacy.
Cybersecurity researchers Morphisec Labs named it ResolverRAT, and while it comes with advanced obfuscation and stealth evasion techniques, its distribution is rather ordinary.
The attack starts with the usual phishing email, scaring the victim into making a rash, reckless decision. The attackers localize the emails, in an attempt to improve infection rates, but are still casting a relatively wide net. With that in mind, the researchers found phishing emails in Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian.
Social disorder
The attachment is being deployed via side-loaded DLL files which, if triggered, drop a loader directly into the memory. The loader, in turn, deploys the final malware payload – also only in memory.
But that’s not the only way ResolverRAT tries to fly under the radar. It uses both encryption and compression and goes the extra mile to persist on the target endpoints.
“The ResolverRAT’s initialization sequence reveals a sophisticated, multi-stage bootstrapping process engineered for stealth and resilience,” the researchers said, adding that it “implements multiple redundant persistence methods” through Windows Registry.
Ultimately, ResolverRAT installs itself in different locations across the computer.
Other notable features include using certificate-based authentication to bypass root authorities, an IP rotation system to connect to different C2 servers, certificate pinning, source code obfuscation, and more.
“This advanced C2 infrastructure demonstrates the advanced capabilities of the threat actor, combining secure communications, fallback mechanisms, and evasion techniques designed to maintain persistent access while evading detection by security monitoring systems,” Morphisec said.
The last time the campaign was observed in the wild was in mid-March this year, which could suggest that it’s still ongoing.
The threat actors deploying ResolverRAT could be the same ones dropping Lumma and Rhadamanthys, since the same deployment mechanisms were seen in all cases. It could also mean that the groups were simply using the same phishing kit.
Via The Hacker News
You might also like
Security researchers spot a new trojan called ResolverRAT It comes with advanced obfuscation and persistence mechanisms It targets healthcare and pharma organizations around the world There is a brand new Remote Access Trojan (RAT) making rounds on the internet, infecting organizations around the world working in healthcare and pharmacy. Cybersecurity…
