Researchers have uncovered ResolverRAT, a sophisticated remote access trojan targeting healthcare and pharmaceutical sectors. The malware is distributed through phishing emails that use fear-based lures, prompting recipients to click malicious links. Once clicked, users are directed to download a file that triggers the ResolverRAT infection chain. The attack is executed via a DLL side-loading technique, enabling the malware to run silently in memory while avoiding detection.
ResolverRAT’s advanced evasion techniques make it particularly difficult to detect. It employs AES-256 encryption, compresses its payload, and only runs it in memory after decryption. The malware also uses anti-analysis techniques to fly under the radar and establishes persistence through registry modifications. Multiple locations are used for installation, and the malware creates redundant registry entries to ensure it remains operational even if one method fails.
The malware communicates with its command-and-control (C2) servers using a custom protocol and advanced certificate validation. This allows it to bypass standard security measures and maintain a secure connection. ResolverRAT also implements an IP rotation system, enabling it to switch to backup C2 servers if the primary one is disrupted. The trojan can also split large data into small chunks, minimizing detection chances while exfiltrating stolen data.
The campaign’s sophistication suggests a highly organized threat actor, likely with connections to other groups using similar tactics. While the specific threat group behind ResolverRAT remains unidentified, its methods closely align with previously documented phishing campaigns. The use of localized phishing emails and dynamic malware capabilities indicates that the threat actor is employing a strategic, coordinated approach across multiple regions to maximize infection rates.
