New Malware 'ResolverRAT' Targets Healthcare, Pharmaceutical Firms

A new, highly sophisticated malware campaign has been discovered by Morphisec researchers, targeting healthcare and pharmaceutical firms worldwide. Dubbed "ResolverRAT," this remote access trojan (RAT) uses advanced capabilities to steal sensitive data from its victims.

The malicious software spreads through phishing emails that use localized languages and legal lures to increase the chances of success. Once a victim downloads the malicious file, they are triggered into installing the malware. The multi-language tactic suggests a global, targeted campaign aimed at boosting infection rates across regions.

About ResolverRAT

ResolverRAT is a newly identified remote access trojan that combines advanced in-memory execution, API and resource resolution at runtime, and layered evasion techniques.

The Morphisec researchers have coined it "Resolver" due to its heavy reliance on runtime resolution mechanisms and dynamic resource handling, which make static and behavioral analysis significantly more difficult.

Tactics and Techniques

ResolverRAT uses advanced in-memory execution and evasion tactics. Though it shares traits with Rhadamanthys and Lumma RAT campaigns, researchers labeled it as a new malware family, likely linked to shared threat actor infrastructure.

The payload delivery mechanism employed by the threat actors behind this campaign uses DLL side-loading with hpreader.exe to trigger infection, mirroring past Rhadamanthys malware attacks. Overlaps in binaries, phishing themes, and file names suggest shared tools, infrastructure, or a coordinated affiliate model between threat actors.

How ResolverRAT Operates

ResolverRAT operates through a multi-stage process designed to evade detection. The first stage is a loader that decrypts and executes the payload, employing anti-analysis techniques.

The payload is AES-256 encrypted and compressed, attackers stored the keys as obfuscated integers. The malicious code runs entirely in memory after decryption to prevent static analysis.

Evasion Techniques

ResolverRAT uses several evasion techniques to make it harder for security tools to detect and analyze. These include:

• Custom protocols over standard ports, certificate pinning, extensive code obfuscation, irregular connection patterns, and serialized data exchange with Protocol Buffers.
• A complex state machine with non-sequential transitions further complicates analysis.

The threat actor targets users in multiple countries with phishing emails in native languages, often referencing legal investigations or copyright violations to increase credibility. The countries targeted by the threat actor include:

• Indicators of Compromise (IoCs) for this threat are included in Morphisec's report.

ResolverRAT supports certificate-based authentication to bypass SSL inspection tools, creating a private validation chain between the implant and C2. It also employs resilient C2 infrastructure with IP rotation and fallback capabilities.

Persistence and Detection

This redundancy ensures that the malware remains active even if some persistence methods fail. The command processing logic reveals a complex multi-threaded architecture.