CyberSecurity news
FlagThis
Pierluigi Paganini@securityaffairs.com
//
A newly discovered remote access trojan (RAT) called ResolverRAT is actively targeting healthcare and pharmaceutical organizations worldwide. Security researchers at Morphisec have identified this sophisticated malware as a new threat, noting its advanced in-memory execution, API and resource resolution at runtime, and layered evasion techniques. ResolverRAT is designed for stealth and resilience, making static and behavioral analysis significantly more difficult. The malware has been observed in attacks as recently as March 10, indicating an ongoing campaign.
ResolverRAT spreads through meticulously crafted phishing emails, often employing fear-based lures to pressure recipients into clicking malicious links. These emails are localized, using languages spoken in targeted countries, including Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian. The content often revolves around legal investigations or copyright violations to induce a sense of urgency. The infection chain initiates through DLL side-loading, with a legitimate executable used to inject ResolverRAT into memory, a technique previously observed in Rhadamanthys malware attacks.
Once deployed, ResolverRAT utilizes a multi-stage bootstrapping process engineered for stealth. The malware employs encryption and compression and exists only in memory after decryption to prevent static analysis. It also incorporates redundant persistence methods via the Windows Registry and file system. Furthermore, ResolverRAT uses a bespoke certificate-based authentication to communicate with its command-and-control (C2) server, bypassing machine root authorities and implementing an IP rotation system to connect to alternate C2 servers if necessary. These advanced C2 infrastructure capabilities indicate a sophisticated threat actor combining secure communications and fallback mechanisms.
ImgSrc: securityaffairs
References :
ResolverRAT spreads through meticulously crafted phishing emails, often employing fear-based lures to pressure recipients into clicking malicious links. These emails are localized, using languages spoken in targeted countries, including Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian. The content often revolves around legal investigations or copyright violations to induce a sense of urgency. The infection chain initiates through DLL side-loading, with a legitimate executable used to inject ResolverRAT into memory, a technique previously observed in Rhadamanthys malware attacks.
Once deployed, ResolverRAT utilizes a multi-stage bootstrapping process engineered for stealth. The malware employs encryption and compression and exists only in memory after decryption to prevent static analysis. It also incorporates redundant persistence methods via the Windows Registry and file system. Furthermore, ResolverRAT uses a bespoke certificate-based authentication to communicate with its command-and-control (C2) server, bypassing machine root authorities and implementing an IP rotation system to connect to alternate C2 servers if necessary. These advanced C2 infrastructure capabilities indicate a sophisticated threat actor combining secure communications and fallback mechanisms.
ImgSrc: securityaffairs
Share:
References :
- securityaffairs.com: SecurityAffairs: New malware ‘ResolverRAT’ targets healthcare, pharmaceutical firms
- The Hacker News: The Hacker News: ResolverRAT Campaign Targets Healthcare, Pharma via Phishing and DLL Side-Loading
- BleepingComputer: BleepingComputer: New ResolverRAT malware targets pharma and healthcare orgs worldwide
- ciso2ciso.com: New malware ‘ResolverRAT’ targets healthcare, pharmaceutical firms – Source: securityaffairs.com
- ciso2ciso.com: New malware ‘ResolverRAT’ targets healthcare, pharmaceutical firms – Source: securityaffairs.com
- bsky.app: A new remote access trojan (RAT) called 'ResolverRAT' is being used against organizations globally, with the malware used in recent attacks targeting the healthcare and pharmaceutical sectors.
- Anonymous ???????? :af:: ResolverRAT is hitting healthcare and pharma sectors hard — phishing, fear-bait, stealth attacks.
- industrialcyber.co: ResolverRAT malware attacks pharma and healthcare organizations via phishing and DLL side-loading
- Industrial Cyber: ResolverRAT malware attacks pharma and healthcare organizations via phishing and DLL side-loading
- www.scworld.com: Novel ResolverRAT trojan launched in global attacks against healthcare, pharma
- Tech Monitor: Researchers identify new ResolverRAT cyber threat affecting global healthcare organisations
- Security Risk Advisors: 🚩 ResolverRAT Malware Campaign Targets Healthcare and Pharmaceutical Sectors
- www.morphisec.com: ResolverRAT Malware Campaign Targets Healthcare and Pharmaceutical Sectors
- www.csoonline.com: New ResolverRAT malware targets healthcare and pharma orgs worldwide
- Virus Bulletin: Morphisec's Nadav Lorber analyses ResolverRAT, a newly identified remote access trojan that combines advanced in-memory execution, API and resource resolution at runtime, and layered evasion techniques.
- securityonline.info: A new remote access trojan (RAT) has emerged, and it’s armed with advanced techniques to evade detection. Morphisec The post appeared first on .
- Blog: New ResolverRAT sniffs around healthcare & pharmaceutical organizations
Classification:
- HashTags: #malware #phishing #healthcare
- Company: Healthcare
- Target: Healthcare and Pharmaceutical firms
- Attacker: Morphisec
- Product: Remote Access Trojan
- Feature: Data Exfiltration
- Malware: ResolverRAT
- Type: Malware
- Severity: Major