TZUTC: -0500   
   MSGID: 1013.consprcy@1:2320/105 2c63f38c   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   Sophisticated new ResolverRAT malware targeting healthcare and pharmaceutical   
   sectors   
      
   Date:   
   Tue, 15 Apr 2025 16:11:00 +0000   
      
   Description:   
   The RAT loads in memory only and tries hard to persist on infected endpoints.   
      
   FULL STORY   
      
   There is a brand new Remote Access Trojan (RAT) making rounds on the    
   internet, infecting organizations around the world working in healthcare and   
   pharmacy.    
      
   Cybersecurity researchers Morphisec Labs named it ResolverRAT, and while it   
   comes with advanced obfuscation and stealth evasion techniques, its   
   distribution is rather ordinary.    
      
   The attack starts with the usual phishing email, scaring the victim into   
   making a rash, reckless decision. The attackers localize the emails, in an   
   attempt to improve infection rates, but are still casting a relatively wide   
   net. With that in mind, the researchers found phishing emails in Hindi,   
   Italian, Czech, Turkish, Portuguese, and Indonesian.    
      
   The attachment is being deployed via side-loaded DLL files which, if   
   triggered, drop a loader directly into the memory. The loader, in turn,   
   deploys the final malware payload - also only in memory.    
      
   But thats not the only way ResolverRAT tries to fly under the radar. It uses   
   both encryption and compression and goes the extra mile to persist on the   
   target endpoints.    
      
   "The ResolverRAT's initialization sequence reveals a sophisticated,   
   multi-stage bootstrapping process engineered for stealth and resilience," the   
   researchers said, adding that it "implements multiple redundant persistence   
   methods" through Windows Registry.    
      
   Ultimately, ResolverRAT installs itself in different locations across the   
   computer.    
      
   Other notable features include using certificate-based authentication to   
   bypass root authorities, an IP rotation system to connect to different C2   
   servers, certificate pinning, source code obfuscation, and more.    
      
   "This advanced C2 infrastructure demonstrates the advanced capabilities of    
   the threat actor, combining secure communications, fallback mechanisms, and   
   evasion techniques designed to maintain persistent access while evading   
   detection by security monitoring systems," Morphisec said.    
      
   The last time the campaign was observed in the wild was in mid-March this   
   year, which could suggest that its still ongoing.    
      
   The threat actors deploying ResolverRAT could be the same ones dropping Lumma   
   and Rhadamanthys, since the same deployment mechanisms were seen in all    
   cases. It could also mean that the groups were simply using the same phishing   
   kit.    
      
    Via The Hacker News   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/sophisticated-new-resolverrat-targeting   
   -healthcare-and-pharmaceutical-sectors   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30   
   SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426