Healthcare and pharmaceutical sectors are currently under siege from a sophisticated malware campaign deploying ResolverRAT, a newly identified remote access trojan. This malware is disseminated through phishing emails that masquerade as urgent legal notices, such as copyright infringement alerts, to manipulate recipients into action.

Phishing Tactics and Malware Delivery

The phishing emails contain a hyperlink that leads to a seemingly legitimate signed executable, hpreader.exe. The malware is introduced through DLL side-loading, injecting ResolverRAT directly into the system's memory. By exploiting .NET 'ResourceResolve' events, the malware loads harmful assemblies without triggering detectable API calls. Operating entirely in memory, ResolverRAT bypasses conventional security measures like antivirus programs and endpoint detection systems that focus on Win32 API and file operations.

Technical Insights and Persistence Mechanisms

Researchers from Morphisec have identified this malware, noting its use of a phishing infrastructure previously associated with Rhadamanthys and Lumma information stealers. ResolverRAT maintains persistence by embedding XOR-obfuscated keys in up to 20 locations within the Windows registry and integrating itself into various filesystem directories, including StartUp, LocalAppData, and Program Files.

  • Stealthy Communication: The malware connects to its command-and-control server at random intervals to avoid detection by pattern-based systems.
  • Secure Communications: It employs a custom certificate validation process, bypassing standard root authorities, and uses obfuscated IP rotation and custom protocols to blend with normal network traffic.
  • Data Exfiltration: Files larger than 1MB are divided into smaller segments to mimic regular data flows.

Attribution and Security Recommendations

While the sophistication of ResolverRAT suggests a highly skilled threat actor, researchers have yet to attribute the campaign to a specific group. To counter such threats, organizations are advised to implement security awareness training focused on phishing, deploy behavior-based endpoint protection, and conduct regular audits to detect unusual memory activities.

Preventive Measures

Organizations should enforce strict privilege management controls, limiting users' ability to install software or execute unauthorized applications. A defined process for approving new applications can prevent accidental security breaches. Additionally, reducing unnecessary privileges, such as local admin rights, significantly mitigates the risk of malicious software installations.

The link has been copied!