A malware campaign using ResolverRAT is targeting healthcare companies and pharmaceutical firms. ResolverRAT is a new stealthy remote access trojan that is being downloaded through phishing emails pretending to be notifications about copyright violations or other legalities that can cause a false impression of urgency.
The phishing emails contain a web link that redirects the user to an executable hpreader.exe, and the malware is transferred through DLL side-loading, adding the ResolverRAT into the memory. The malware affects .NET ‘ResourceResolve’ events, and loads malicious assemblies with no noticeable API calls. Because ResolverRAT works totally in the memory, it could avoid conventional security solutions like antivirus and endpoint detection applications that work on Win32 API and file system operations.
Researchers at Morphisec discovered the malware. They observed that the threat actor used a phishing system that was formerly used to install the Rhadamanthys and Lumma data stealers. The malware becomes persistent by means of adding XOR-obfuscated keys on as many as 20 areas in the Windows registry and also puts itself on several filesystem locations, such as StartUp, Program Files, and LocalAppData.
The malware possesses the following features:
- links to its command-and-control server randomly to avoid pattern-based detectors
- uses communications that are protected with a customized certificate validation method, circumventing root authorities,
- uses obfuscated IP rotation and customized protocols on regular ports, enabling communications to merge with typical traffic
- for data exfiltration, splits files bigger than 1MB into smaller files to adapt to standard traffic patterns
As per Morphisec, the complexity of the malware indicates that a threat actor of the highest level is conducting the campaign. The researchers say that ResolverRAT is the finest malware developed so far. No specific threat actor is identified as responsible for the campaign. The researchers recommend conducting HIPAA security awareness training for employees to increase awareness of phishing, behavior-dependent endpoint security solutions, and frequent audits to recognize strange memory activity.
To deal with such risks, companies should implement appropriate privilege management controls. A user shouldn’t be permitted to install any software program or to execute a file. When a new application is necessary, a defined procedure must be set up to permit that. Such controls limit users from accidentally ruining the organization’s protection, but still offer bandwidth to function and execute their principal functions. Taking away unnecessary privileges, such as local administrative rights on the endpoints, can effectively mitigate the threat of malicious installations.