Full Report
Morphisec Labs has detailed a newly discovered remote access trojan (RAT) dubbed ResolverRAT, which employs advanced in-memory execution,... The post ResolverRAT malware attacks pharma and healthcare organizations via phishing and DLL side-loading appeared first on Industrial Cyber.
Analysis Summary
# Tool/Technique: ResolverRAT
## Overview
ResolverRAT is a newly discovered Remote Access Trojan (RAT) characterized by its advanced in-memory execution, dynamic runtime resolution of APIs and resources, and multiple layered evasion techniques. It was named 'Resolver' due to its heavy reliance on runtime resolution and dynamic resource handling, methods designed to significantly impede static and behavioral analysis. The malware has been observed primarily targeting the healthcare and pharmaceutical sectors.
## Technical Details
- Type: Malware family (RAT)
- Platform: Windows (implied by .NET execution and Win32 API references)
- Capabilities: In-memory execution, runtime API/resource resolution, multi-layered encryption/compression, robust persistence mechanisms, and custom C2 communication over standard ports.
- First Seen: Most recent wave observed on March 10, 2025.
## MITRE ATT&CK Mapping
Since specific, confirmed mappings were not provided in the text, standard mappings for a sophisticated RAT utilizing these behaviors are inferred:
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell (Likely used during initial stages or for helper scripts)
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1055 - Process Injection (Implied by in-memory execution/resource hijacking)
- T1562.001 - Impair Defenses: Disable or Modify Tools (Implied by bypassing SSL inspection)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (Using standard ports for C2 camouflage)
## Functionality
### Core Capabilities
- **Delivery:** Initial infection vector via social engineering phishing emails leveraging fear-based lures (e.g., legal investigations, copyright violations) in the native language of targeted countries.
- **Payload Protection:** Payload is protected using AES-256 encryption in CBC mode, with keys and IVs stored as obfuscated integers decoded at runtime. The payload is further encrypted and compressed using GZip.
- **Fileless Execution:** Employs resource resolver hijacking within the .NET framework to operate entirely in managed memory, circumventing security monitoring focused on Win32 API calls or file system activity.
- **Persistence:** Robust, redundant persistence implemented via the `ExecutorState` class, creating up to 20 registry entries across multiple locations using XOR obfuscation for key names and paths.
### Advanced Features
- **.NET Resource Resolver Hijacking:** Registers a custom handler for `ResourceResolve` events to return malicious assemblies when legitimate resource requests occur, achieving code injection without modifying the PE header.
- **Evasion via Network Blending:** Communicates via a custom protocol utilizing standard ports listed in the CheckDistributor list to blend C2 traffic with legitimate activity.
- **SSL/TLS Bypass:** Implements a parallel trust system for certificate validation that bypasses machine root authorities, rendering advanced SSL inspection tools ineffective. Also employs certificate pinning.
- **Anti-Analysis:** Detects dynamic analysis environments by monitoring the sequence and timing of assembly requests within its resource resolution handler.
- **C2 Resilience:** Features persistent connectivity using the `ViewConnection()` method to re-establish C2 connections when interrupted, with timer-based connection management using randomized intervals.
- **Victim Tracking:** C2 configuration includes specific fields for tracking infected hosts, associating victims with authentication tokens, and organizing infections by campaign.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Not provided in the text]
- Registry Keys: Numerous keys created across multiple locations, obfuscated using XOR operations.
- Network Indicators: Custom protocol used over standard ports; specific C2 infrastructure configuration detailed in the malware binary.
- Behavioral Indicators: Heavy reliance on .NET `ResourceResolve` events, dynamic API/resource resolution at runtime, and creation of numerous redundant registry persistence entries.
## Associated Threat Actors
The article notes that while delivery mechanisms overlap with campaigns distributing **Rhadamanthys** and **Lumma**, ResolverRAT itself appears to be a previously undocumented family, though it targets similar sectors as observed in phishing campaigns previously associated with other malware.
## Detection Methods
- Signature-based detection: Likely ineffective due to heavy obfuscation and runtime resolution.
- Behavioral detection: Should focus on monitoring dynamic memory allocation, use of .NET resource resolution handlers for code injection, and creation of numerous, obfuscated registry keys in parallel.
- YARA rules: Need to focus on signature identification for the AES-256 decryption routine or string signatures related to the .NET cryptographic namespace usage combined with GZip compression headers.
## Mitigation Strategies
- **Email Security:** Implement robust email filtering, user training focused on fear-based social engineering lures, and strict controls on executing downloaded files originating from unsolicited links.
- **Network Security:** Deploy advanced network monitoring capable of deep packet inspection *beyond* standard SSL/TLS inspection, or use network segmentation to limit lateral movement from endpoints attempting unusual port communications.
- **Endpoint Protection:** Utilize EDR solutions capable of monitoring .NET memory artifacts, specifically looking for the hijacking of framework handlers like `ResourceResolve`, and checking for the creation of many parallel persistence mechanisms.
- **Hardening:** Disable unnecessary .NET features if possible, and ensure endpoint systems are patched against known vulnerabilities that might be exploited during the initial stages.
## Related Tools/Techniques
- **Rhadamanthys:** Mentioned in association with similar phishing infrastructure and delivery mechanisms.
- **Lumma:** Mentioned in association with similar phishing infrastructure and delivery mechanisms (Lumma C2 framework/stealer).
- **VanHelsing:** Mentioned as a separate, contemporary threat actor utilizing double extortion tactics in similar sectors, potentially indicating overlapping targeting by threat groups.