Cybersecurity researchers have discovered a new, sophisticated remote access trojan called Resolverrat, which was observed in attacks targeting the healthcare and drug sectors.
“Threat actors leverage fear-based lures delivered via phishing emails, designed to click on malicious links for recipients.” “When accessed, the link instructs the user to download and open the file that triggers the Resolverrat Execution chain.”
The activity observed on March 10, 2025 shares infrastructure and delivery mechanisms in overlapping with phishing campaigns that provided information steeler malware such as Lumma and Rhadamanthys, as documented by Cisco Talos and Checkpoints last year.
A notable aspect of the campaign is the use of localized fishing lures, with emails being produced primarily in the language spoken in the target country. This includes Hindi, Italian, Czech, Turkish, Portuguese and Indonesian. This illustrates the threat actor’s attempts to throw a wide range of nets through region-specific targeting and maximize infection rates.
The textual content of email messages employs themes related to legal investigations or copyright violations, aimed at inducing false sensations and increasing the likelihood of user interaction.
Infection strands are characterized by using DLL sideloading techniques to initiate the process. The first stage is an in-memory loader that incorporates a swarm of tricks to decrypt and execute the main payload while also flying under the radar. The Resolverrat payload not only uses encryption and compression, but only exists in memory after it has been decoded.
“The Resolverrat initialization sequence reveals a sophisticated multi-stage bootstrap process designed for stealth and resilience,” Lorber said, “implementing” “multiple redundant persistence methods” by installing them in Windows registry and file systems in various locations as a fallback mechanism.
Upon booting, the malware utilizes bespoke, certificate-based authentication before establishing contact with the Command and Control (C2) server to bypass the machine’s root authority. Additionally, if the primary C2 server becomes unavailable or deprecated, it implements an IP rotation system that connects to an alternative C2 server.
Additionally, Resolverrat is equipped with capabilities for side step detection efforts through certificate pinning, source code obfuscation, and irregular beacon patterns to C2 servers.
“This advanced C2 infrastructure combines secure communication, fallback mechanisms and avoidance technologies designed to maintain sustained access while avoiding detection by security surveillance systems,” Morphisec said.
The ultimate goal of malware is to process commands issued by the C2 server, exclude responses, and split sizes above 1MB into 16 kB chunks to minimize the likelihood of detection.
Although the campaign is not yet attributable to a particular group or country, the similarity of the lure theme and the use of DLL sideloads through previously observed phishing attacks imply possible connections.
“Alignment […] “It could indicate possible overlapping threat actor infrastructure or operational playbooks and point to shared affiliate models or coordinated activities among related threat groups,” the company said.
Development comes as Cyfirma uses a modular plugin-based approach to steal information, maintaining host persistence, demanding a $500 ransom, and detailing another remote access called Neptune Rat to override Master Boot Record (MBR) and destroy the normal functionality of the Windows system.
It is freely transmitted via Github, Telegram and YouTube. That said, Github profiles associated with malware called MasOngroup (aka Freemasonry) are no longer accessible.
“Neptune rats incorporate advanced anti-analytical techniques and persistent methods, maintaining a long-term presence in the victim’s system and are packed with dangerous features,” the company said in an analysis published last week.
Includes “Crypto Clipper, Password Steeler with the ability to remove over 270 different applications” credentials, ransomware features and live desktop monitoring.
Source link
