Table of Contents
Distributed via phishing emails, the DLL side-loaded malware’s payload is executed only in memory and uses sophisticated detection evasion and anti-analysis techniques.
Security researchers have observed a new malware payload deployed in attacks against the healthcare and pharmaceutical sectors. Dubbed ResolverRAT, the remote access Trojan features in-memory execution and sophisticated anti-analysis and payload encryption techniques.
ResolverRAT has been distributed through phishing emails with malicious attachments that use fear-based lures mentioning copyright infringement, various legal violations, and ongoing investigations. The emails are localized in multiple languages, including English, Hindi, Italian, Indonesian, Turkish, Portuguese, and Czech, indicating the global scale of the campaign.
“While recent reports by Check Point and Cisco Talos have attributed similar phishing infrastructure and delivery mechanisms to campaigns distributing Rhadamanthys and Lumma respectively, the RAT observed in Morphisec Threat Labs’ incident investigations appears to be previously undocumented,” Morphisec researchers wrote in their report released Monday. “Despite clear overlaps in payload delivery, email lure themes, and even binary reuse, this variant introduces a distinct loader and payload architecture that warranted classification as a new malware family.”
Memory-only execution
The phishing emails have ZIP attachments that contain a legitimate binary file called hpreader.exe that’s part of an application called Haihaisoft PDF Reader. This executable file is vulnerable to DLL side-loading, meaning that it tries to load a DLL with a specific name from the same running directory.
Attackers exploit DLL side-loading issues to load malicious code in memory through a legitimate file that’s unlikely to be flagged by security software as malware. In this case, the attackers placed a malicious DLL file in the same directory that would then be automatically loaded and executed by hpreader.exe.
On execution, this first-stage malicious code acts as a loader, decrypting and executing the next payload, which is encrypted with AES-256 encryption. Its keys are stored as obfuscated integers that are decoded when the code is run.
ResolverRAT is written in .NET and uses a technique called .NET resource resolver hijacking that leverages a .NET mechanism to run only within RAM memory and never create resources on disk. This technique aims to evade detection techniques that monitor file and Win32 API operations.
“By registering a custom handler for ResourceResolve events, the malware can intercept legitimate resource requests and return malicious assemblies instead,” the researchers explained. “This elegant technique achieves code injection without modifying the PE header or employing suspicious API calls that might trigger security solutions.”
Another technique employed by the malware is called control flow flattening and is meant to make static code analysis much harder, implementing a complicated state machine with hundreds of states and transitions.
Examples of the anti-analysis tactics include non-sequential state transitions to confuse control flow analysis, conditional jumps based on environment checks, dead code and redundant operations to mislead disassemblers, and arithmetic operations to dynamically compute decryption keys.
Persistence and stealthy C2 communication
The new RAT employs multiple persistence strategies, including more than 20 obfuscated registry entries and files dropped in multiple folders on disk. The malware keeps a record of which persistence techniques were successful to use them as a fallback mechanism.
Communication with the command-and-control (C2) server uses TLS encryption with a custom server certificate validation method that compares the certificate served by the server with one stored internally by the malware program. Multiple IP addresses and port numbers are hardcoded to serve as a fallback if the primary server becomes unresponsive.
Connection with the C2 server happens at random intervals to prevent creating a beaconing pattern that network monitoring tools often detect. The communication protocol also uses data serialization to make traffic inspection more challenging. Infected systems are tracked and organized by campaigns and each victim has a unique authentication token generated by the system.
“The alignment in payload delivery mechanisms, artifact reuse, and lure themes indicates a possible overlap in threat actor infrastructure or operational playbooks, potentially pointing to a shared affiliate model or coordinated activity among related threat groups,” the Morphisec researchers said.
