Healthcare organizations and pharmaceutical firms are being targeted in a phishing campaign distributing a recently discovered remote access trojan (RAT) called ResolverRAT. The campaign has been linked to infrastructure previously used to deliver information stealers such as Lumma Stealer and Rhadamathys, indicating an experienced threat actor is behind the campaign.
ResolverRAT is a stealthy RAT that runs entirely in the memory, which means it will not be detected by traditional antivirus solutions since files are not downloaded to the hard drive. Security solutions monitor Win32 API and file system operations and can detect anomalous activity; however, ResolverRAT abuses .NET ResourceResolve events, loading malicious assemblies without performing API calls, helping it evade monitoring tools.
The malware achieves persistence by adding XOR-obfuscated keys to the Windows Registry and additions to the filesystem in locations such as StartUp, Program Files, and localAppData, ensuring it is executed following a reboot. To make it more difficult to detect patterns in its callbacks to its command-and-control server, the malware communicates at random intervals. The malware is capable of data exfiltration, and even large files can be exfiltrated through a chunking process, helping to avoid detection by blending in with regular traffic. The malware has been designed to prevent analysis, and most of the components are unique, strongly suggesting it has been created from scratch by a skilled malware developer.
As with many other phishing campaigns, the ResolverRAT campaign uses social engineering techniques to trick end users. Lures are used that create a sense of urgency, demanding that action be taken immediately to prevent significant costs and legal problems. Emails used in the campaign include notices about copyright violations and other legal issues that require immediate action, along with a threat of legal consequences if the matter is not corrected immediately.
The emails contain a link to a website where the user is prompted to download and open a file to obtain more information about the legal issue – a copyright violation or legal investigation. If the link is clicked and the downloaded file is executed, ResolverRAT will be executed and will run in the memory through a DLL side-loading technique. The campaign has been conducted in multiple countries, with the lures written in the languages predominantly spoken in those countries – English, Italian, Czech, Turkish, Portuguese, Indonesian, and Hindi.
While considerable effort has been put into making the malware incredibly stealthy to evade security solutions, the delivery mechanism – phishing emails – allows infections to be blocked. It is important to use a combination of measures to block campaigns such as this. That starts with an advanced spam filtering service to block the phishing emails to prevent them from reaching end users. SpamTitan, a cloud-based anti-spam service from TitanHQ, performs reputation checks of senders, uses greylisting to identify large email runs indicative of spam, phishing, and malware distribution, subjects messages and headers to in-depth analysis, and analyzes embedded URLs and their destinations, with email sandboxing used to securely analyze message content.
Microsoft 365 users should consider augmenting Microsoft’s email security features with a third-party, dedicated anti-phishing solution. PhishTitan from TitanHQ is an anti-phishing and phishing remediation solution that improves phishing and malware detection rates for Microsoft 365, adds email banners to alert users to emails from external addresses, protects against malicious links in emails, and incorporates tools to allow malicious emails to be rapidly remediated across the entire email system. In independent tests, these solutions have been shown to block 100% of malware and in excess of 99.99% of phishing emails.
A web filter is also recommended to protect against redirects to malicious websites and block malware downloads from the Internet, adding an extra layer to your security defenses. It is also important to provide regular security awareness training to employees to show them how to identify the signs of phishing, condition them to report potential threats to their security team, and teach security best practices. Training should also be reinforced by using a phishing simulator to conduct phishing simulations internally.
Give the TitanHQ team a call today for more information on improving your defenses against phishing and malware infections to block sophisticated malware threats, including improving protection for Microsoft 365 environments. All TitanHQ solutions are available on a free trial and have been developed from the ground up to meet the needs of MSPs to help them better protect their clients against the ever-evolving cyber threat landscape.