In a concerning evolution of cyber threats, a new remote access Trojan named ResolverRAT has surfaced, targeting the sensitive and critical healthcare and pharmaceutical industries. Identified by Morphisec Threat Labs, this malware stands out due to its highly advanced in-memory execution tactics and a stealthy, layered evasion strategy that challenges even the most robust security systems.
ResolverRAT doesn’t follow the beaten path. Unlike malware families such as Rhadamanthys or Lumma, it introduces an original loader-payload framework, even though it shares some reused binaries and phishing infrastructure from earlier operations. Its internal mechanisms, however, are unique, pointing to a sophisticated development effort.
The attackers behind ResolverRAT rely on clever social engineering, sending localized phishing emails in various languages across different regions. These emails pose as legal threats or copyright notices—an approach tailored to increase the likelihood of victim interaction.
This new threat is more than just a virus—it’s a cleverly orchestrated campaign with the ability to stealthily infiltrate systems, maintain persistence, and exfiltrate sensitive data, all while staying under the radar.
ResolverRAT: Breaking Down the Threat
A Sophisticated Malware Born for Stealth
- Discovery & Target: ResolverRAT was discovered by Morphisec Threat Labs, and it zeroes in on healthcare and pharmaceutical companies, two sectors rich with sensitive data and critical intellectual property.
- Key Features: It leverages in-memory execution and layered evasion, making it extremely difficult to detect or analyze.
- Unique Architecture: Unlike previously known malware, ResolverRAT introduces a novel loader and payload mechanism, pointing to an original and well-funded development.
- Localized Phishing: Infection begins through social engineering, specifically via phishing emails written in native languages—a tactic that shows global coordination.
- Technical Execution: Delivered through DLL side-loading, ResolverRAT abuses legitimate signed executables such as hpreader.exe, previously used in other malware like Rhadamanthys.
- Encrypted Payload: The Trojan’s payload is memory-resident, protected with AES-256 encryption, and compressed using GZip.
– Deep Obfuscation:
– String obfuscation with numeric identifiers
– Encrypted embedded resources
- A complex decryption state machine featuring hundreds of transition paths
- Reflective DLL loading, which hides its execution from standard AV solutions
– Advanced Persistence:
– Uses registry modifications and user directory placements
- Implements redundant fallback mechanisms in case one method fails
– Secure Command and Control (C2):
- Uses custom certificate validation, bypassing default trust mechanisms
- Employs IP rotation and custom protocols to blend in with
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub:
https://www.medium.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2
