ResolverRAT: A New Sophisticated RAT Targeting Healthcare Organizations
In a new report by Morphisec, security researchers discovered a new malware threat targeting healthcare organizations. The threat is named ResolverRAT by Morphisec researchers due to its heavy reliance on runtime resolution mechanisms and dynamic resource handling, which makes the remote access trojan (RAT) difficult to detect and analyze.
Researchers noted, however, that several similarities were found in recent attack campaigns concerning phishing infrastructure and delivery mechanisms to campaigns distributing Rhadamanthys and Lumma. However, ResolverRAT appears to have been undocumented previously. Further, the malware has a distinct loader and payload architecture, differentiating it from the other stealers mentioned above.
Regarding the initial access vector, the attack kicks off a social engineering campaign that targets an organization's corporate employees across multiple countries using multiple languages. The threat actor leverages fear-based lures delivered via phishing emails designed to pressure recipients into clicking a malicious link.
If clicked, the link directs the user to download and open a file that triggers ResolverRAT's deployment. This campaign reflects the ongoing trend of highly localized phishing techniques and lures, with region-specific language and themes used to increase credibility and user engagement.
The malware payload is delivered using DLL side-loading, a favored payload delivery technique increasingly used by those looking to deploy stealers and RATs. The Dynamic Link Library, or DLL for short, is Microsoft's implementation of the shared library concept. These libraries, which typically sport the .dll file extension, contain code and data that can be used by multiple programs simultaneously.
Unfortunately, threat actors can also exploit Windows searches for and loads DLLs. When an application requires a DLL to run, Windows attempts to load the DLL from either a full path defined by the application or via a manifest file. A manifest is a plain text file containing information about an application or component's dependencies and configuration requirements.
It specifies which DLLs should be loaded at runtime by the associated program or, in this instance, the malware. Threat actors can exploit poorly configured manifest files by placing a malicious DLL with the same name as a legitimate DLL in a location where an application will load it before the DLL that should be loaded.
ResolverRAT includes a legitimate, signed executable vulnerable to DLL hijacking paired with a malicious DLL placed in the same directory. Upon execution, the legitimate application, in this case, hpreader.exe, automatically loads the malicious DLL, initiating the infection chain.
Researchers did note the following,
This TTP closely mirrors a recently documented campaign by CPR, which also utilized hpreader.exe as the loader for Rhadamanthys malware via DLL side-loading. Notably, both campaigns deploy an identical binary of the legitimate executable, strongly suggesting code reuse or shared tooling across operations...The overlap between campaigns is further evidenced by the consistent naming patterns used for both .zip archives and phishing email subject. These naming patterns align closely with the copyright infringement theme and mirror those documented in research by both CPR and Cisco Talos. This thematic consistency across lure artifacts suggests a shared playbook or coordinated activity. Talos also highlighted similar phishing techniques in a campaign delivering infostealers via themed social engineering content...
ResolverRAT's Advanced Features
Threat actors are increasingly using DLL side-loading. ResolverRAT includes several advanced features deserving of special mention. The malware is encrypted during the infection process and decrypted before execution. The malware employs AES-256 encryption with embedded cryptographic keys to protect its payload.
The cryptographic implementation uses the .NET System.Security.Cryptography namespace with AES in CBC mode; for key management, encryption keys and IVs are stored as obfuscated integers, decoded at runtime; for multi-layer protection, the payload is both encrypted and compressed using GZip; and for memory-only execution, the whole payload exists only in memory after decryption.
Researchers further noted that for much-improved stealth and resilience, ResolverRAT's initialization sequence reveals a sophisticated, multi-stage bootstrapping process, including resource resolver hijacking. Threat actors utilize an overlooked .NET mechanism to operate entirely within managed memory, circumventing traditional security monitoring focused on Win32 API and file system operations.
This is done by registering a custom handler for "ResourceResolve" events; the malware can intercept legitimate resource requests and return malicious assemblies instead. This elegant technique achieves code injection without modifying headers or employing suspicious API calls that might trigger security solutions.
To analyze the malware, which is an even more daunting prospect, ResolverRAT uses multiple evasion techniques to avoid detection. These include leveraging standard ports from the CheckDistributor list while communicating via a custom protocol, allowing its traffic to blend seamlessly with legitimate activity. Additionally, it employs certificate pinning, which enforces embedded certificate validation and prevents man-in-the-middle inspection, reducing the effectiveness of network security monitoring.
Further, the malware employs extensive code obfuscation, including method and variable name obfuscation, to hinder analysis. It also uses timer-based connection management, scheduling connection attempts through timer callbacks at randomized intervals to evade detection and analysis better.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion