HomeRisk ManagementsNew Malware ResolverRAT Targets Healthcare and Pharma Sectors

New Malware ResolverRAT Targets Healthcare and Pharma Sectors

Published on

spot_img

A remote access Trojan (RAT) known as “ResolverRAT” has recently emerged as a significant threat to organizations within the healthcare and pharmaceutical sectors. Morphisec Threat Labs uncovered this malware, which utilizes advanced in-memory execution and sophisticated evasion techniques to avoid detection and analysis.

Unlike other well-known malware families like Rhadamanthys or Lumma, ResolverRAT sets itself apart with a unique loader and payload architecture. While it may reuse certain binaries and phishing infrastructure from previous campaigns, its internal components and deployment methods are notably original.

One of the key tactics employed by ResolverRAT involves social engineering, where phishing emails in local languages are distributed to employees in various countries. These emails typically revolve around topics like copyright violations or legal matters, indicating a coordinated effort to boost infection rates through cultural tailoring.

The technical architecture of ResolverRAT is complex and designed to evade detection. It is delivered through DLL side-loading, leveraging vulnerable but signed executables like hpreader.exe. Once loaded, the malware runs a memory-resident payload that is encrypted with AES-256 and compressed using GZip. Additional layers of obfuscation, such as string obfuscation, complex decryption mechanisms, and reflective DLL loading, further obscure the payload.

In terms of maintaining persistent access, ResolverRAT employs multiple methods such as registry changes and file placement across user directories. It also features a fallback system to retry alternate persistence methods if needed. The command-and-control (C2) communications are secured through a custom certificate validation process that bypasses standard root authorities, along with obfuscated IP rotation and custom protocols to blend in with regular network traffic.

Data exfiltration is managed through chunked transfers to minimize detection risks, while the malware uses multi-threaded command processing with robust error handling to prevent crashes or interruptions. Researchers highlight the sophistication of ResolverRAT, indicating that the threat actor behind it operates at a high technical level.

Morphisec emphasized the resource resolver hijacking employed by ResolverRAT as a prime example of malware evolution. By utilizing a .NET mechanism overlooked by traditional security monitoring systems, ResolverRAT can operate within managed memory and evade detection focused on Win32 API and file system operations.

To combat threats like ResolverRAT, security experts recommend user awareness training to recognize phishing attempts, deploying behavior-based endpoint protection, and conducting regular audits to detect unusual memory activity and unauthorized persistence mechanisms. By staying vigilant and implementing robust security measures, organizations can better protect themselves against evolving malware threats like ResolverRAT.

Source link

Latest articles

Opera Introduces Paste Protect to Combat ClickFix

Opera Launches "Paste Protect" Feature to Combat ClickFix Attacks In a strategic move to bolster...

AI-Generated Browser Ransomware Exploits Chromium API on Windows, Linux, macOS, and Android

In a significant development within the realm of cybersecurity, researchers from Check Point have...

950 Oracle E-Business Suite Instances Exposed to CVE-2026-46817 Attacks Detected in the Wild

Urgent Security Alert: Nearly 950 Oracle E-Business Suite Instances Exposed Amid Active Exploitation Attempts In...

More like this

Opera Introduces Paste Protect to Combat ClickFix

Opera Launches "Paste Protect" Feature to Combat ClickFix Attacks In a strategic move to bolster...

AI-Generated Browser Ransomware Exploits Chromium API on Windows, Linux, macOS, and Android

In a significant development within the realm of cybersecurity, researchers from Check Point have...