Summary: A new remote access trojan (RAT) named ‘ResolverRAT’ is being used to target healthcare and pharmaceutical sectors globally through phishing emails. It employs advanced techniques to evade detection and is capable of exfiltrating data while running entirely in memory. The malware’s distribution and key functionalities mark a significant evolution in malware tactics, leveraging overlooked .NET mechanisms for its operations.
Affected: Healthcare and pharmaceutical sectors
Keypoints :
- ResolverRAT is distributed via phishing emails disguised as legal notices, with links to download a legitimate executable that deploys the malware.
- The malware operates stealthily in memory, utilizing .NET ResourceResolve events to load malicious assemblies without triggering standard security alerts.
- It achieves persistence by modifying Windows Registry and filesystem locations, while employing a sophisticated mechanism for data exfiltration that masks its traffic.