New malware ‘ResolverRAT’ targets healthcare, pharmaceutical firms

New malware ‘ResolverRAT’ is targeting healthcare and pharmaceutical firms, using advanced capabilities to steal sensitive data.

Morphisec researchers discovered a new malware dubbed ‘ResolverRAT’ that is targeting healthcare and pharmaceutical firms, using advanced capabilities to steal sensitive data.

ResolverRAT spreads via phishing emails using localized languages and legal lures. Victims download a malicious file triggering the malware. The multi-language tactic suggests a global, targeted campaign aimed at boosting infection success across regions.

“ResolverRAT is a newly identified remote access trojan that combines advanced in-memory execution, API and resource resolution at runtime, and layered evasion techniques.” states Morphisec. “Morphisec researchers have coined it ‘Resolver’ due to its heavy reliance on runtime resolution mechanisms and dynamic resource handling, which make static and behavioral analysis significantly more difficult. “

ResolverRAT, spotted as recently as March 10, uses advanced in-memory execution and evasion tactics. Though it shares traits with Rhadamanthys and Lumma RAT campaigns, researchers labeled it as a new malware family, likely linked to shared threat actor infrastructure.

The payload delivery mechanism employed by the threat actors behind this campaign uses DLL side-loading with hpreader.exe to trigger infection, mirroring past Rhadamanthys malware attacks. Overlaps in binaries, phishing themes, and file names suggest shared tools, infrastructure, or a coordinated affiliate model between threat actors.

ResolverRAT operates through a multi-stage process designed to evade detection. The first stage is a loader that decrypts and executes the payload, employing anti-analysis techniques. The payload is AES-256 encrypted and compressed, attackers stored the keys as obfuscated integers. The malicious code runs entirely in memory after decryption to prevent static analysis. The malware uses string obfuscation to prevent detection and hijacks .NET resource resolvers to inject malicious assemblies without triggering security tools. A complex state machine with non-sequential transitions further complicates analysis. ResolverRAT also ensures persistence by creating multiple registry entries and files in various locations, including the Appdata, Program Files, and User Startup folders. This redundancy ensures that the malware remains active even if some persistence methods fail.

ResolverRAT supports certificate-based authentication to bypass SSL inspection tools, creating a private validation chain between the implant and C2. It also employs resilient C2 infrastructure with IP rotation and fallback capabilities. Evasion techniques include custom protocols over standard ports, certificate pinning, extensive code obfuscation, irregular connection patterns, and serialized data exchange with Protocol Buffers, making it harder the detect and analyze.

“The command processing logic reveals a complex multi-threaded architecture:” continues the analysis.

“This implementation: 

• Implements robust error handling to prevent connection failures from crashing the malware “
• Uses a length-prefixed protocol where each command is preceded by its size 
• Processes each received command in a dedicated thread 

The threat actor targets users in multiple countries with phishing emails in native languages, often referencing legal investigations or copyright violations to increase credibility. The countries targeted by the threat actor include:

• Turkey (Turkish)
• Czech Republic
• India (Hindi)
• Indonesia
• Italy (Italian)
• Portugal (Portuguese)

Morphisec’s report includes Indicators of Compromise (IoCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ResolverRAT)