Morphisec discovers a brand new malware menace ResolverRAT, that mixes superior strategies for operating code immediately in pc reminiscence, determining mandatory system features and sources because it runs, and using a number of layers of strategies to keep away from detection by safety software program.
A brand new and complicated piece of malware, dubbed ResolverRAT by Morphisec researchers, has been found actively focusing on organisations throughout the healthcare and pharmaceutical sectors, with the newest wave of assaults occurring round March 10, 2025.
Morphisec’s Risk Labs researchers dubbed it Resolver due to the malware’s excessive reliance on figuring issues out and dealing with sources dynamically whereas operating, making it a lot tougher for conventional strategies to detect it.
In line with researchers, ResolverRAT is distributed by way of phishing emails designed to create a way of urgency or worry, pressuring recipients to click on on a malicious hyperlink. As soon as clicked, the hyperlink results in a file that begins the ResolverRAT an infection course of.
This can be a extremely localised phishing assault because the emails are written within the native language of the focused nation and constantly use alarming topics, corresponding to authorized investigations or copyright violations. This multi-language strategy suggests a world operation geared toward maximising profitable infections by personalised focusing on.
ResolverRAT infections start with DLL side-loading, a method that includes inserting a malicious DLL file alongside a respectable, signed program, recognized as ‘hpreader.exe‘ on this case. When ‘hpreader.exe’ is executed, it unknowingly hundreds the malicious DLL, triggering the malware’s execution.
Apparently, the identical executable was recognized by CPR in a latest marketing campaign distributing the Rhadamanthys malware, and Cisco Talos documented comparable phishing strategies used to ship Lumma information-stealing malware. This might counsel that the teams are reusing instruments, sharing sources, or a part of a coordinated effort or shared community of cybercriminal associates.
ResolverRAT employs a number of layers of evasion to keep away from detection, together with intensive code obfuscation and a customized protocol over customary ports to mix community visitors. It executes malicious code immediately within the pc’s reminiscence (in-memory execution) and dynamically identifies and makes use of mandatory system features because it runs (API decision).
To remain on an contaminated system even after a reboot, ResolverRAT creates as much as 20 entries within the Home windows Registry, unfold throughout numerous areas, and installs copies of itself in numerous areas.
Furthermore, the malware makes use of a singular technique of certificates validation and ‘.NET Useful resource Resolver Hijacking’ approach is a key factor of its stealth. Moreover, it makes an attempt to fingerprint evaluation environments and may alter its behaviour when it detects it’s being examined.
It permits attackers to steal delicate data like credentials and affected person information, breaking giant datasets into smaller chunks for simpler transmission. ResolverRAT additionally has distant entry capabilities, permitting attackers to execute instructions, add information, take screenshots, seize keystrokes, and probably deploy additional malware.
This refined mix of in-memory execution, superior evasion strategies, and resilient C2 infrastructure poses a considerable menace to delicate sectors like healthcare and prescription drugs, highlighting the necessity for organisations to undertake proactive defence methods to successfully counter these threats.
