A remote access Trojan (RAT) known as “ResolverRAT” has recently emerged as a significant threat to organizations within the healthcare and pharmaceutical sectors. Morphisec Threat Labs uncovered this malware, which utilizes advanced in-memory execution and sophisticated evasion techniques to avoid detection and analysis.
Unlike other well-known malware families like Rhadamanthys or Lumma, ResolverRAT sets itself apart with a unique loader and payload architecture. While it may reuse certain binaries and phishing infrastructure from previous campaigns, its internal components and deployment methods are notably original.
One of the key tactics employed by ResolverRAT involves social engineering, where phishing emails in local languages are distributed to employees in various countries. These emails typically revolve around topics like copyright violations or legal matters, indicating a coordinated effort to boost infection rates through cultural tailoring.
The technical architecture of ResolverRAT is complex and designed to evade detection. It is delivered through DLL side-loading, leveraging vulnerable but signed executables like hpreader.exe. Once loaded, the malware runs a memory-resident payload that is encrypted with AES-256 and compressed using GZip. Additional layers of obfuscation, such as string obfuscation, complex decryption mechanisms, and reflective DLL loading, further obscure the payload.
In terms of maintaining persistent access, ResolverRAT employs multiple methods such as registry changes and file placement across user directories. It also features a fallback system to retry alternate persistence methods if needed. The command-and-control (C2) communications are secured through a custom certificate validation process that bypasses standard root authorities, along with obfuscated IP rotation and custom protocols to blend in with regular network traffic.
Data exfiltration is managed through chunked transfers to minimize detection risks, while the malware uses multi-threaded command processing with robust error handling to prevent crashes or interruptions. Researchers highlight the sophistication of ResolverRAT, indicating that the threat actor behind it operates at a high technical level.
Morphisec emphasized the resource resolver hijacking employed by ResolverRAT as a prime example of malware evolution. By utilizing a .NET mechanism overlooked by traditional security monitoring systems, ResolverRAT can operate within managed memory and evade detection focused on Win32 API and file system operations.
To combat threats like ResolverRAT, security experts recommend user awareness training to recognize phishing attempts, deploying behavior-based endpoint protection, and conducting regular audits to detect unusual memory activity and unauthorized persistence mechanisms. By staying vigilant and implementing robust security measures, organizations can better protect themselves against evolving malware threats like ResolverRAT.