A sophisticated new malware called ResolverRAT has emerged, actively targeting pharmaceutical and healthcare organizations worldwide through an elaborate phishing campaign, according to cybersecurity researchers at Morphisec.
The malware spreads through phishing emails crafted in multiple languages, often mimicking legal notices or investigations to appear legitimate. Once victims download the malicious file, ResolverRAT deploys advanced techniques to steal sensitive data while evading detection.
The malware employs a complex multi-stage attack process, starting with a loader that decrypts and executes the main payload entirely in memory. This approach, combined with sophisticated anti-analysis features, makes it particularly challenging for security tools to detect and analyze the threat.
"We named it 'Resolver' due to its heavy reliance on runtime resolution mechanisms and dynamic resource handling," Morphisec researchers explained in their analysis.
The attack campaign appears to be highly targeted, with phishing emails customized in native languages for specific regions including Turkey, Czech Republic, India, Indonesia, Italy, and Portugal.
Notable technical capabilities of ResolverRAT include:
- Advanced in-memory execution to avoid detection
- Complex evasion tactics using custom protocols
- Certificate-based authentication to bypass security tools
- Resilient command-and-control infrastructure
- Multiple persistence mechanisms across system locations
While ResolverRAT shares some characteristics with known malware families like Rhadamanthys and Lumma RAT, researchers classify it as a distinct new threat, possibly developed by actors using shared infrastructure.
The malware creates redundant system persistence through registry entries and startup files, making it difficult to completely remove once installed. It also implements sophisticated communication methods, including certificate pinning and serialized data exchange protocols.
Organizations in the healthcare and pharmaceutical sectors are advised to remain vigilant against phishing attempts, particularly those appearing as legal notices in local languages.