Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New malware ‘ResolverRAT’ targets healthcare, pharmaceutical firms

New malware ‘ResolverRAT’ is targeting healthcare and pharmaceutical firms, using advanced capabilities to steal sensitive data. Morphisec researchers discovered a new malware dubbed ‘ResolverRAT’ that is targeting healthcare and pharmaceutical firms, using advanced capabilities to steal sensitive data. ResolverRAT spreads via phishing emails using localized languages and legal lures. Victims download a malicious file triggering […]

ResolverRAT

New malware ‘ResolverRAT’ is targeting healthcare and pharmaceutical firms, using advanced capabilities to steal sensitive data.

Morphisec researchers discovered a new malware dubbed ‘ResolverRAT’ that is targeting healthcare and pharmaceutical firms, using advanced capabilities to steal sensitive data.

ResolverRAT spreads via phishing emails using localized languages and legal lures. Victims download a malicious file triggering the malware. The multi-language tactic suggests a global, targeted campaign aimed at boosting infection success across regions.

“ResolverRAT is a newly identified remote access trojan that combines advanced in-memory execution, API and resource resolution at runtime, and layered evasion techniques.” states Morphisec. “Morphisec researchers have coined it ‘Resolver’ due to its heavy reliance on runtime resolution mechanisms and dynamic resource handling, which make static and behavioral analysis significantly more difficult. “

ResolverRAT, spotted as recently as March 10, uses advanced in-memory execution and evasion tactics. Though it shares traits with Rhadamanthys and Lumma RAT campaigns, researchers labeled it as a new malware family, likely linked to shared threat actor infrastructure.

The payload delivery mechanism employed by the threat actors behind this campaign uses DLL side-loading with hpreader.exe to trigger infection, mirroring past Rhadamanthys malware attacks. Overlaps in binaries, phishing themes, and file names suggest shared tools, infrastructure, or a coordinated affiliate model between threat actors.

ResolverRAT operates through a multi-stage process designed to evade detection. The first stage is a loader that decrypts and executes the payload, employing anti-analysis techniques. The payload is AES-256 encrypted and compressed, attackers stored the keys as obfuscated integers. The malicious code runs entirely in memory after decryption to prevent static analysis. The malware uses string obfuscation to prevent detection and hijacks .NET resource resolvers to inject malicious assemblies without triggering security tools. A complex state machine with non-sequential transitions further complicates analysis. ResolverRAT also ensures persistence by creating multiple registry entries and files in various locations, including the Appdata, Program Files, and User Startup folders. This redundancy ensures that the malware remains active even if some persistence methods fail.

ResolverRAT supports certificate-based authentication to bypass SSL inspection tools, creating a private validation chain between the implant and C2. It also employs resilient C2 infrastructure with IP rotation and fallback capabilities. Evasion techniques include custom protocols over standard ports, certificate pinning, extensive code obfuscation, irregular connection patterns, and serialized data exchange with Protocol Buffers, making it harder the detect and analyze.

“The command processing logic reveals a complex multi-threaded architecture:” continues the analysis.

ResolverRAT

“This implementation: 

  • Implements robust error handling to prevent connection failures from crashing the malware “
  • Uses a length-prefixed protocol where each command is preceded by its size 
  • Processes each received command in a dedicated thread 

The threat actor targets users in multiple countries with phishing emails in native languages, often referencing legal investigations or copyright violations to increase credibility. The countries targeted by the threat actor include:

  • Turkey (Turkish)
  • Czech Republic
  • India (Hindi)
  • Indonesia
  • Italy (Italian)
  • Portugal (Portuguese)

Morphisec’s report includes Indicators of Compromise (IoCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ResolverRAT)