New ResolverRAT Malware Targets Pharma and Healthcare Orgs Worldwide
Summary:
Morphisec has uncovered a new malware called ResolverRAT, which is indiscriminately targeting organizations globally. The most recently documented attacks from Morphisec have been observed targeting the healthcare and pharmaceutical sectors. ResolverRAT spreads via phishing emails that mimic legal or copyright infringement notices, written in the victim's native language to appear more legitimate. The phishing emails trick users into downloading a legitimate executable ('hpreader.exe'), which is then abused to stealthily inject ResolverRAT directly into memory using a technique called reflective DLL loading. According to Morphisec, they observed the same phishing infrastructure that had recently been used to spread other malware like Rhadamanthys and Lumma, as reported by Check Point and Cisco Talos. However, Morphisec reinforces that, in this case, this is a previously undocumented malware. ResolverRAT is quite stealthy as it is run entirely in memory and abuses .NET ‘ResourceResolve’ events to deliver malicious code without performing suspicious API calls.
Security Officer Comments:
Researchers found that ResolverRAT employs a sophisticated system of hidden states to scramble its operational steps, making it very hard to analyze its code without running it. It can also identify and evade security sandboxes and analysis software by examining how they request system resources. Despite being previously undocumented malware, ResolverRAT may still be deployed in these other campaigns distributing Rhadamanthys and Lumma Stealer. The threat of ResolverRAT is reinforced by its persistent connectivity using the ViewConnection method that reestablishes C2 connections when disrupted.
Suggested Corrections:
IOCs are available here.
https://www.bleepingcomputer.com/news/security/new-resolverrat-malware-targets-pharma-and-healthcare-orgs-worldwide/
https://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/
Morphisec has uncovered a new malware called ResolverRAT, which is indiscriminately targeting organizations globally. The most recently documented attacks from Morphisec have been observed targeting the healthcare and pharmaceutical sectors. ResolverRAT spreads via phishing emails that mimic legal or copyright infringement notices, written in the victim's native language to appear more legitimate. The phishing emails trick users into downloading a legitimate executable ('hpreader.exe'), which is then abused to stealthily inject ResolverRAT directly into memory using a technique called reflective DLL loading. According to Morphisec, they observed the same phishing infrastructure that had recently been used to spread other malware like Rhadamanthys and Lumma, as reported by Check Point and Cisco Talos. However, Morphisec reinforces that, in this case, this is a previously undocumented malware. ResolverRAT is quite stealthy as it is run entirely in memory and abuses .NET ‘ResourceResolve’ events to deliver malicious code without performing suspicious API calls.
Security Officer Comments:
Researchers found that ResolverRAT employs a sophisticated system of hidden states to scramble its operational steps, making it very hard to analyze its code without running it. It can also identify and evade security sandboxes and analysis software by examining how they request system resources. Despite being previously undocumented malware, ResolverRAT may still be deployed in these other campaigns distributing Rhadamanthys and Lumma Stealer. The threat of ResolverRAT is reinforced by its persistent connectivity using the ViewConnection method that reestablishes C2 connections when disrupted.
Suggested Corrections:
IOCs are available here.
- Educate users on social engineering and fear-based phishing lures: Emphasize vigilance regarding emails with alarming content, legal threats, or copyright violations, especially those in their native language from unknown senders.
- Caution against clicking links or downloading files from unsolicited emails: Reinforce the importance of verifying sender legitimacy through alternative communication channels before interacting with email content.
- Implement and enforce strong email security controls: Utilize spam filters, anti-phishing solutions, and link analysis tools to detect and block malicious emails.
- Restrict the execution of executables from untrusted sources: Implement application whitelisting or similar controls to prevent the running of unauthorized programs, including those downloaded from the internet.
- Monitor for and prevent DLL side-loading: Implement security measures to detect and block attempts to load malicious DLLs alongside legitimate executables, particularly in user-writable directories.
- Keep endpoint security software up-to-date: Ensure antivirus and EDR solutions are current to detect and respond to known and emerging threats, including in-memory execution techniques.
https://www.bleepingcomputer.com/news/security/new-resolverrat-malware-targets-pharma-and-healthcare-orgs-worldwide/
https://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/