‘ResolverRAT’ is a new remote access trojan (RAT) that is being used against organisations worldwide. The malware employed in recent attacks has targeted the pharmaceutical and healthcare industries.
Phishing emails that are customised to the target’s native language and seem to be legal or copyright violations are used to spread ResolverRAT. The emails include a download link for a genuine executable (‘hpreader.exe’), which is used to use reflective DLL loading to insert ResolverRAT into memory.
Cybersecurity company Morphisec found the previously unknown virus, pointing out that Check Point and Cisco Talos had recently reported on the same phishing infrastructure. Nevertheless, those reports did not include the unique ResolverRAT payload; instead, they focused on the distribution of Rhadamanthys and Lumma stealers.
Morphisec researchers have coined it ‘Resolver’ due to its heavy reliance on runtime resolution mechanisms and dynamic resource handling, which make static and behavioral analysis significantly more difficult.
ResolverRAT is a stealthy malware that operates entirely in memory and exploits the .NET ‘ResourceResolve’ event to load malicious assemblies without making API calls that could trigger security alerts. This technique allows it to inject code seamlessly within managed memory, effectively bypassing traditional security monitoring focused on Win32 API and file system activities.
“This resource resolver hijacking represents malware evolution at its finest – utilizing an overlooked .NET mechanism to operate entirely within managed memory, circumventing traditional security monitoring focused on Win32 API and file system operations,” describes Morphisec.
According to the researchers, ResolverRAT detects sandbox and analysis tools by fingerprinting resource requests and obfuscates control flow and makes static analysis very challenging through the usage of a complicated state machine.
Its use of deceptive and redundant code and operations is intended to make analysis more difficult, even if it runs with debugging tools present.
The malware secures persistence by adding XOR-obfuscated keys on up to 20 locations at the Windows Registry. At the same time, it also adds itself to filesystem locations like ‘Startup,’ ‘Program Files,’ and ‘LocalAppData.’
ResolverRAT uses irregular beaconing patterns to avoid detection by attempting to connect at random times throughout scheduled callbacks. In order to enable parallel task execution and prevent failed commands from crashing the malware, each command sent by the operators is handled in a separate thread.
Morphisec mentions data exfiltration capabilities with a chunking method for big data transfers, but it doesn’t go into detail on the commands that ResolverRAT supports.
Files bigger than 1MB are specifically divided into 16KB portions, which aids in avoiding detection by fusing the malicious traffic with typical patterns.
ResolverRAT prevents mistakes from congested or unreliable networks by verifying that the socket is ready to write before transmitting each chunk. The technique resumes transfers from the last successful chunk and offers optimal error handling and data recovery. The malware has a global operational scope that might be extended to cover additional countries, as Morphisec observed phishing attacks in Italian, Czech, Hindi, Turkish, Portuguese, and Indonesia.
