ResolverRAT targets various healthcare orgs worldwide

A new remote access trojan (RAT) named ‘ResolverRAT’ is being deployed against organisations worldwide. In recent attacks, it has specifically targeted the healthcare and pharmaceutical industries.

ResolverRAT spreads through phishing emails that falsely claim to address legal or copyright concerns, carefully tailored to the language of the intended recipient’s country. Moreover, the emails include a download link for a legitimate executable file (‘hpreader.exe’), which is then exploited to inject the RAT into memory using reflective DLL loading.

This previously undocumented malware was associated with the same phishing infrastructure noted in recent reports from various studies. However, those reports primarily focused on the distribution of Rhadamanthys and Lumma stealers, which did not account for this specific payload.

 

The latest ResolverRAT includes evasive capabilities that can bypass security detections.

 

The new ResolverRAT poses a covert threat by operating entirely in memory and misusing [.]NET ‘ResourceResolve’ events to load malicious assemblies without making API calls that might trigger security alerts.

The researchers describe this resource resolver hijacking as a prime example of malware evolution. It uses an overlooked dotnet feature to function solely within managed memory, sidestepping traditional security measures concentrating on Win32 API and file system activities.

Additionally, various assessments indicate that ResolverRAT employs a sophisticated state machine to obscure control flow, making static analysis exceptionally challenging, and can detect sandbox and analysis tools by fingerprinting resource requests.

Even when running alongside debugging tools, its reliance on misleading and redundant code/operations is crafted to complicate scrutiny.

Furthermore, the malware inserts XOR-obfuscated keys at as many as 20 locations within the Windows Registry and embeds itself in filesystem folders such as Startup, Program Files, and LocalAppData to maintain persistence.

It also connects via scheduled callbacks at random intervals, evading detection by creating irregular beaconing patterns. Each command received from the operators operates on its thread, allowing for simultaneous task execution and preventing failed commands from crashing the malware.

While the researchers do not detail the commands supported by ResolverRAT, it acknowledges its data exfiltration capabilities, which include a chunking strategy for transferring large amounts of data.

On the other hand, ResolverRAT checks if the socket is ready to write, thus avoiding errors from congested or unstable networks before dispatching each segment. This mechanism incorporates effective error handling and data recovery techniques, allowing transfers to resume from the last successfully sent chunk.

The reported phishing attempts include languages such as Italian, Czech, Hindi, Turkish, Portuguese, and Indonesian, indicating that the malware operates globally and has the potential to expand into additional countries.