A new remote access trojan (RAT) named ResolverRAT has emerged as a potent threat targeting healthcare and pharmaceutical organizations worldwide. Recent reports indicate that the malware has been distributed primarily through phishing emails that disguise themselves as legal or copyright violations, customized to appeal to the language preferences of the targeted regions.
The phishing campaigns aim to lure victims into downloading a legitimate executable file named ‘hpreader.exe’. Once installed, this file is leveraged to inject the malware directly into the system’s memory using reflective DLL loading techniques. This new threat was disclosed by Morphisec, who indicated that the same phishing framework had previously been noted in research from Check Point and Cisco Talos, though those analyses failed to pinpoint the distinct Payload of ResolverRAT which deviates from previously identified threats like Rhadamanthys and Lumma stealers.
ResolverRAT operates with a high degree of stealth, entirely within memory, and takes advantage of the .NET ‘ResourceResolve’ events to load malicious assemblies. This approach allows it to circumvent traditional security measures that largely monitor API calls and file system interactions. Morphisec has described this tactic as a sophisticated evolution of malware, utilizing overlooked .NET mechanisms for concealed operations. The malware’s impressive evasion capabilities extend to its ability to conduct intricate control flow obfuscation, making static analysis extraordinarily challenging.
In terms of persistence, ResolverRAT utilizes XOR-obfuscated keys and embeds itself within the Windows Registry across up to 20 locations. The malware is designed to schedule callbacks at random intervals, blending its network traffic patterns with regular traffic to escape detection. Additionally, it boasts data exfiltration capabilities, enabled through a chunking mechanism that splits large files into smaller 16KB segments. This strategy assists in bypassing detection as it mimics normal data transfer behavior. Morphisec detected phishing attempts in numerous languages, including Italian, Czech, Hindi, Turkish, Portuguese, and Indonesian, indicating a global scope and the potential for further expansion of its operations [Morphisec].