Organizations in the healthcare and pharmaceutical sectors have been targeted with a new, sophisticated malware family, according to an advisory from cybersecurity firm Morphisec.
Dubbed ResolverRAT and observed in attacks as recently as March 10, the malware packs advanced in-memory execution and layered evasion capabilities, and heavily relies on runtime resolution mechanisms and dynamic resource handling.
Despite similarities in lures, binary use, and payload delivery with previously documented phishing campaigns delivering Rhadamanthys and Lumma RATs, Morphisec researchers consider ResolverRAT to be a new malware family.
“The alignment in payload delivery mechanisms, artifact reuse, and lure themes indicates a possible overlap in threat actor infrastructure or operational playbooks, potentially pointing to a shared affiliate model or coordinated activity among related threat groups,” according to the advisory.
Using fear-based lures, the phishing emails distributing the new malware trick corporate employees into clicking a link directing them to download and open a file that leads to ResolverRAT’s execution.
The threat actor has been targeting users in multiple countries with emails in the recipients’ native languages, such as Czech, Hindi, Indonesian, Italian, Portuguese, and Turkish, often referencing legal investigations or copyright violations.
The infection chain leverages DLL search order hijacking, relying on a vulnerable executable to load a malicious DLL placed in its directory. At the first stage of the execution chain, a loader that uses multiple anti-analysis techniques decrypts, loads, and runs the malicious payload.
The ResolverRAT payload is compressed and protected using AES-256 encryption, with the keys stored as obfuscated integers, and exists only in memory after decryption.
For persistence, the malware creates up to 20 registry entries in multiple locations and obfuscates registry key names and file paths, while also installing itself in multiple locations.
ResolverRAT also implements several mechanisms to protect its command-and-control (C&C) infrastructure, including a parallel trust system for certificate validation that can bypass root authorities by creating a private validation chain between the implant and the C&C.
It also implements a sophisticated IP rotation system for fallback options in the event the C&C becomes unavailable, implements a custom C&C communication protocol but uses standard ports to hide within legitimate traffic, schedules connections at random intervals, and uses ProtoBuf for data serialization.
The RAT features a multi-threaded architecture for command processing, implements robust error handling to prevent crashing, implements persistent connectivity capabilities, and breaks large data sets into chunks for transmission.
In the command-and-control configuration, the company said it identified fields that enable its operators to track individual infections and organize them across campaigns. Specific authentication tokens are used for each victim, the cybersecurity firm says.
Related: ESET Vulnerability Exploited for Stealthy Malware Execution
Related: CISA Analyzes Malware Used in Ivanti Zero-Day Attacks
Related: macOS Users Warned of New Versions of ReaderUpdate Malware
