ResolverRAT is a newly discovered malware targeting pharmaceutical and healthcare organizations through advanced phishing campaigns and DLL side-loading techniques. Morphisec Labs identified ResolverRAT, emphasizing its sophisticated evasion mechanisms and potential threat to organizations within these sectors, with recent detections of attacks on March 10.
ResolverRAT employs advanced in-memory execution, runtime API, and multiple evasion techniques that complicate detection. Named for its dynamic resolution techniques, the malware evades static and behavioral analysis, posing significant challenges to cybersecurity defenses. Confirmed detections targeted Morphisec’s customers, highlighting the persistent threat to the health sector.
Morphisec’s Nadav Lorber underlined the malware’s sophisticated loader and payload architecture. Social engineering tactics via phishing emails lure corporate employees into triggering the malware. These emails use fear-based content, such as legal threats, increasing the likelihood of interactions. Emails are also tailored in the target country’s native language, indicating a global operation.
Technically, ResolverRAT uses AES-256 encryption, .NET protections, and .NET resource resolver hijacking, operating securely within managed memory. The malware’s persistence mechanisms include multiple registry entries and obfuscation techniques.
ResolverRAT’s evasion strategies involve standard port use, certificate pinning, and extensive code obfuscation. It maintains connectivity through advanced C2 infrastructure and persistence measures, ensuring continuous access to infected systems.
The growing risk from resilient malware like ResolverRAT underscores the need for robust, adaptive security measures to protect critical sectors from emerging threats.