Post

ResolverRAT: New Malware Targets Healthcare and Pharmaceutical Firms with Advanced Data Theft Capabilities

Discover how the newly identified ResolverRAT malware is targeting healthcare and pharmaceutical firms with advanced data theft capabilities. Learn about its sophisticated tactics and the global impact of this cyber threat.

Posted
By Vitus White
3 min read
ResolverRAT: New Malware Targets Healthcare and Pharmaceutical Firms with Advanced Data Theft Capabilities

TL;DR

  • New Malware Identified: ResolverRAT, a sophisticated remote access trojan, targets healthcare and pharmaceutical firms.
  • Advanced Capabilities: Utilizes in-memory execution, runtime resolution, and evasion techniques to steal sensitive data.
  • Global Campaign: Spreads via phishing emails in multiple languages, suggesting a targeted global operation.

New Malware ‘ResolverRAT’ Targets Healthcare and Pharmaceutical Firms

Morphisec researchers have identified a new malware strain dubbed ‘ResolverRAT’ that is specifically targeting healthcare and pharmaceutical firms. This advanced malware employs sophisticated tactics to steal sensitive data, posing a significant threat to these critical sectors.

Phishing Campaign and Global Reach

ResolverRAT is distributed through phishing emails that use localized languages and legal lures to entice victims. Once a malicious file is downloaded, the malware is triggered. The use of multiple languages in the phishing campaign suggests a global, targeted operation aimed at increasing infection success across various regions.

Advanced Malware Capabilities

ResolverRAT is characterized by its advanced in-memory execution and evasion techniques. According to Morphisec, this malware combines runtime resolution mechanisms and dynamic resource handling, making it difficult to detect through static and behavioral analysis1.

Similarities to Previous Malware

While ResolverRAT shares similarities with previous malware campaigns like Rhadamanthys and Lumma RAT, it has been classified as a new malware family. The threat actors behind this campaign employ DLL side-loading with hpreader.exe to initiate the infection, a method also used in past Rhadamanthys attacks. Overlaps in binaries, phishing themes, and file names suggest a shared infrastructure or coordinated efforts among threat actors.

Multi-Stage Evasion Process

ResolverRAT operates through a multi-stage process designed to evade detection:

  1. Loader Stage: A loader decrypts and executes the payload, employing anti-analysis techniques.
  2. Payload Encryption: The payload is AES-256 encrypted and compressed, with keys stored as obfuscated integers.
  3. In-Memory Execution: The malicious code runs entirely in memory after decryption, preventing static analysis.
  4. String Obfuscation: The malware uses string obfuscation to avoid detection.
  5. Resource Hijacking: It hijacks .NET resource resolvers to inject malicious assemblies without triggering security tools.
  6. Complex State Machine: A state machine with non-sequential transitions further complicates analysis.
  7. Persistence Mechanisms: The malware ensures persistence by creating multiple registry entries and files in various locations, including Appdata, Program Files, and User Startup folders.

Certificate-Based Authentication and C2 Infrastructure

ResolverRAT supports certificate-based authentication to bypass SSL inspection tools, creating a private validation chain between the implant and the command and control (C2) server. It also employs a resilient C2 infrastructure with IP rotation and fallback capabilities. Evasion techniques include custom protocols over standard ports, certificate pinning, extensive code obfuscation, irregular connection patterns, and serialized data exchange with Protocol Buffers.

Command Processing Architecture

The command processing logic of ResolverRAT reveals a complex multi-threaded architecture:

  • Robust Error Handling: Prevents connection failures from crashing the malware.
  • Length-Prefixed Protocol: Each command is preceded by its size.
  • Dedicated Threads: Each received command is processed in a dedicated thread.

Global Targeting

The threat actor behind ResolverRAT targets users in multiple countries with phishing emails in native languages, often referencing legal investigations or copyright violations to increase credibility. Targeted countries include:

  • Turkey (Turkish)
  • Czech Republic
  • India (Hindi)
  • Indonesia
  • Italy (Italian)
  • Portugal (Portuguese)

Indicators of Compromise (IoCs)

Morphisec’s report includes Indicators of Compromise (IoCs) for this threat, providing valuable information for security professionals to identify and mitigate the malware.

Follow for Updates

For the latest updates on cybersecurity threats, follow:

Learn more about the author: Pierluigi Paganini

For more details, visit the full article: source

Conclusion

The emergence of ResolverRAT highlights the evolving landscape of cyber threats targeting critical sectors like healthcare and pharmaceuticals. Its advanced capabilities and global reach underscore the need for robust cybersecurity measures to protect sensitive data. As threat actors continue to innovate, staying informed and proactive is crucial for defending against such sophisticated attacks.

References

  1. Morphisec (2025). “New malware variant identified: ResolverRAT enters the maze”. Morphisec Blog. Retrieved 2025-04-14. ↩︎

Cybersecurity & Data Protection, Malware
cybersecurity malware data theft
This post is licensed under CC BY 4.0 by the author.