ResolverRAT, a newly discovered malware threat by Morphisec, has been causing concern within the cybersecurity community due to its advanced methods of operation and evasion techniques. The malware is particularly targeting organisations in the healthcare and pharmaceutical sectors, with recent attacks occurring around March 10, 2025.
Named ResolverRAT because of its dynamic and resourceful nature, the malware is adept at running code directly in a computer’s memory, making it challenging for traditional detection methods to identify. It employs multiple layers of techniques to evade security software, making it a potent threat to organizations that are not prepared to handle such sophisticated attacks.
The distribution of ResolverRAT is initiated through phishing emails designed to create a sense of urgency or fear among recipients, compelling them to click on malicious links. These emails are highly localized, using the native language of the targeted country and employing alarming subjects to increase the likelihood of successful infections. This global operation targets organizations worldwide, maximizing its impact through personalized phishing tactics.
The infection process of ResolverRAT begins with DLL side-loading, a technique that involves placing a malicious DLL file alongside a legitimate program to trigger the malware’s execution. Interestingly, the same executable used in this process has been identified in previous campaigns distributing other malware variants, suggesting a potential connection or shared resources among cybercriminal groups.
ResolverRAT is equipped with various evasion techniques, including code obfuscation, custom network protocols, and in-memory execution, making it challenging to detect and analyze. The malware creates multiple entries in the Windows Registry and installs copies of itself in various locations to ensure persistence on infected systems. It also employs certificate validation and API resolution techniques to avoid detection and alter its behavior when under scrutiny.
The capabilities of ResolverRAT extend beyond data theft, allowing attackers to gain remote access to compromised systems. This includes stealing sensitive information, executing commands, uploading files, capturing keystrokes, and potentially deploying additional malware. The malware poses a significant threat to sectors like healthcare and pharmaceuticals, emphasizing the importance of proactive defense strategies to mitigate its impact.
In conclusion, ResolverRAT represents a new level of sophistication in malware attacks, combining advanced techniques with resilient infrastructure to target sensitive organizations. The discovery of this malware underscores the ever-evolving nature of cybersecurity threats and the critical need for organizations to enhance their security posture to defend against such complex attacks.