India Pharma Outlook Team | Wednesday, 16 April 2025
The campaign that spreads ResolverRAT through phishing emails uses a remote access trojan and targets the healthcare and pharmaceutical sectors. These emails are written in different languages, such as English, Hindi, Italian, and Turkish, all of which prove to use fear-based lures concerning legal threats-the scope of the campaign being international.
The phishing messages contain ZIP attachments with a legitimate, vulnerable executable (hpreader.exe), which side-loads a malicious DLL. When executed, the DLL then decrypts and launches ResolverRAT, which is encrypted with AES-256 and runs solely in memory using a .NET technique called resource resolver hijacking. This approach avoids writing to disk, making it harder to detect.
In a report, Morphisec Researchers said, "While recent reports by Check Point and Cisco Talos have attributed similar phishing infrastructure and delivery mechanisms to campaigns distributing Rhadamanthys and Lumma respectively, the RAT observed in Morphisec Threat Labs’ incident investigations appears to be previously undocumented. Despite clear overlaps in payload delivery, email lure themes, and even binary reuse, this variant introduces a distinct loader and payload architecture that warranted classification as a new malware family".
ResolverRAT itself includes several advanced evasion techniques, such as control flow flattening; depending on the environment; dead code insertion; and conditional jumps to interrupt static analysis. Arithmetic obfuscation is also applied to obscure the decryption keys.
In fact, as per the randomization of the intervals with which the malware would communicate with its command-and-control (C2) server, making its beaconing unpredictable, the malware would be able to pass very well through the network security tools. In addition, it seeks to obscure data analysis traffic using serialized data formats. Each infected system gets a different token of authentication so that attackers can surveil and manipulate victims by campaign.
"By registering a custom handler for ResourceResolve events, the malware can intercept legitimate resource requests and return malicious assemblies instead. This elegant technique achieves code injection without modifying the PE header or employing suspicious API calls that might trigger security solutions", the researchers added.
ResolverRAT poses a huge threat to the targeted organizations owing to the stealthy and sophisticated delivery and evasion methods employed in this campaign.
"The alignment in payload delivery mechanisms, artifact reuse, and lure themes indicates a possible overlap in threat actor infrastructure or operational playbooks, potentially pointing to a shared affiliate model or coordinated activity among related threat groups", the researchers stated.
, CDSCO.jpg)
