A new remote access trojan, dubbed ‘ResolverRAT’, targets organizations in the healthcare and pharmaceutical industries, according to a report released by Morphisec Threat Labs.
The malware combines advanced in-memory execution with layered evasion techniques, making it particularly difficult to detect and analyze. Unlike well-known malware families such as Rhadamanthys or Lumma, ResolverRAT comes with a unique loader and payload architecture, while reusing elements from previous campaigns, including phishing infrastructure and binary components.
Initial access is achieved through localized phishing emails, often themed around legal or copyright issues. The emails are crafted in local languages and have been distributed to employees in multiple countries.
ResolverRAT is delivered via DLL side-loading, exploiting legitimate but vulnerable executables like hpreader.exe. Once executed, the malware loads a memory-resident payload, which is AES-256 encrypted and GZip-compressed, helping it evade traditional antivirus tools.
The trojan also hijacks .NET’s resource resolution process using a custom handler, allowing it to slip past many conventional detection mechanisms. Persistence is maintained through registry edits, file placements, and multi-method fallback systems to ensure long-term access.
ResolverRAT’s command-and-control (C2) channels use a custom certificate validation scheme that avoids standard root authorities, along with IP rotation and custom protocols on standard ports to mask activity. It also employs chunked data transfers and multi-threaded command execution, enhancing both stealth and reliability.
