"This resource resolver hijacking represents malware evolution at its finest – utilizing an overlooked .NET mechanism to operate entirely within managed memory, circumventing traditional security monitoring focused on Win32 API and file system operations," describes Morphisec. A new remote access trojan (RAT) called 'ResolverRAT' is being used against organizations globally, with the malware used in recent attacks targeting the healthcare and pharmaceutical sectors. The researchers report that ResolverRAT uses a complex state machine to obfuscate control flow and make static analysis extremely difficult, detecting sandbox and analysis tools by fingerprinting resource requests. Though Morphisec doesn't delve into the commands ResolverRAT supports, it mentions data exfiltration capabilities with a chunking mechanism for large data transfers. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Morphisec observed phishing attacks in Italian, Czech, Hindi, Turkish, Portuguese, and Indonesia, so the malware has a global operational scope that could be expanded to include more countries. The previously undocumented malware was discovered by Morphisec, who noted that the same phishing infrastructure was documented in recent reports by Check Point and Cisco Talos. ResolverRAT is a stealthy threat that runs entirely in memory, while it also abuses .NET 'ResourceResolve' events to load malicious assemblies without performing API calls that could be flagged as suspicious. The emails contain a link to download a legitimate executable ('hpreader.exe'), which is leveraged to inject ResolverRAT into memory using reflective DLL loading. ResolverRAT attempts to connect at scheduled callbacks at random intervals to evade detection based on irregular beaconing patterns. ResolverRAT is distributed through phishing emails claiming to be legal or copyright violations tailored to languages that match the target's country. Every command sent by the operators is handled in a dedicated thread, enabling parallel task execution while ensuring failed commands don't crash the malware. Before sending each chunk, ResolverRAT checks if the socket is ready to write, preventing errors from congested or unstable networks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 14 Apr 2025 16:40:30 +0000