Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malware analysis. Show all posts
ResolverRAT
Cybersecurity malware Malware analysis Phishing Attacks Remote Access Trojan ResolverRAT

New ResolverRAT Malware Targets Healthcare and Pharma Sectors Worldwide

 

A newly discovered remote access trojan (RAT), dubbed ResolverRAT, is being actively used in targeted cyberattacks against healthcare and pharmaceutical entities across various countries. Identified by cybersecurity researchers at Morphisec, the malware is delivered through phishing emails and uses in-memory execution tactics that allow it to bypass most traditional endpoint security solutions.

The attack campaign is tailored to different regions, with phishing messages crafted in native languages such as Czech, Italian, Turkish, Hindi, Portuguese, and Indonesian. These deceptive emails often reference legal or copyright-related issues to lure users into clicking malicious links. Victims unknowingly download a legitimate executable, hpreader.exe, which is manipulated through a technique called reflective DLL loading—executing the malicious code entirely in memory.

Morphisec researchers note that the attack leverages DLL side-loading: by placing a malicious DLL alongside a trusted but vulnerable application, the malware is executed when the genuine software is launched. Further, ResolverRAT exploits the .NET ‘ResourceResolve’ event to load malicious assemblies, avoiding typical flagged API calls.

“This resource resolver hijacking represents malware evolution at its finest – utilizing an overlooked .NET mechanism to operate entirely within managed memory, circumventing traditional security monitoring focused on Win32 API and file system operations,” wrote Morphisec’s Nadav Lorber in a blog.

ResolverRAT is equipped with multiple anti-analysis capabilities. It features a complex state machine that obfuscates its control flow and fingerprints system behaviors, making it difficult for sandboxes and debugging tools to detect or analyze.

To maintain persistence, the malware writes XOR-obfuscated keys into up to 20 Windows registry entries and replicates itself in directories such as Startup and LocalAppData. It connects to its command-and-control (C2) server at irregular intervals, further concealing its network activity from pattern-based detection tools.

The RAT handles commands using separate threads, which enables parallel task execution and reduces crash risks. For data exfiltration, it employs a chunked transfer method—splitting files larger than 1MB into smaller 16KB segments sent only when the socket is ready, a strategy that supports stealth and transfer recovery in poor network conditions.

ResolverRAT encrypts its payload with AES-256 in CBC mode via the .NET System.Security.Cryptography library. The keys and IVs are obfuscated and only decoded at runtime. Additionally, the payload is compressed using GZip and runs exclusively in memory to minimize detection risk.

While some of the phishing infrastructure resembles earlier Rhadamanthys and Lumma campaigns, Morphisec emphasized that the unique design of ResolverRAT's loader and payload warrants its classification as a new malware strain.
Read more »
Subscribe to: Posts (Atom)