Indonesia

ResolverRAT and Neptune RAT: Advanced Remote Access Threats Targeting Global and Indonesian Sectors

admin

Keypoints:

  • Indonesia is directly targeted through localized phishing emails in the Indonesian language, indicating specific intent to breach Indonesian systems, especially in healthcare and pharmaceutical sectors.
  • A new sophisticated remote access trojan (RAT) called ResolverRAT was discovered targeting healthcare and pharmaceutical organizations via phishing campaigns.
  • Phishing emails use fear-based lures (e.g., legal or copyright issues) and are localized in multiple languages, including Indonesian, to increase user engagement.
  • ResolverRAT uses DLL side-loading, in-memory execution, certificate-based authentication, and redundant persistence methods to avoid detection and maintain access.
  • It features advanced evasion capabilities, including IP rotation, encryption, source code obfuscation, and certificate pinning.
  • The malware breaks exfiltrated data into small chunks (16 KB) to avoid detection during transmission.
  • Though not yet attributed to a specific actor, it shares tactics and infrastructure with known phishing campaigns involving Lumma and Rhadamanthys.
  • Another threat, Neptune RAT, is being distributed via GitHub, Telegram, and YouTube, and is capable of ransomware attacks, password theft, MBR overwrite, and crypto clipping.
  • Neptune RAT is modular and includes live desktop monitoring and data exfiltration from 270+ apps, posing a significant risk to users and organizations.

What the Indonesian Government and Related Institutions Should Do:

  • Strengthen cybersecurity defenses in healthcare and pharmaceutical sectors, which are primary targets of ResolverRAT.
  • Monitor for phishing campaigns using localized Indonesian content, especially those involving fear-based lures.
  • Instruct national CERT and BSSN to issue alerts about ResolverRAT and Neptune RAT indicators of compromise (IOCs), and provide technical mitigations to public and private entities.
  • Audit systems for abuse of DLL side-loading techniques and ensure behavior-based detection is implemented in endpoint protection tools.

What Indonesian Citizens Should Know and Do:

  • Be wary of emails or messages in Indonesian that create urgency, especially those claiming legal violations or copyright issues.
  • Avoid downloading or opening files from unknown links, particularly in emails using fear-inducing language.
  • Regularly update antivirus/antimalware software and run system scans, especially for those working in or interacting with healthcare-related digital services.

Read More..
https://www.hendryadrian.com/resolverrat-campaign-targets-healthcare-pharma-via-phishing-and-dll-side-loading/