- Security researchers spot a new Trojan horse called Resolverrat
- It is delivered with advanced mechanisms of obscure and persistence
- He targets health and pharmaceutical care organizations around the world
There is a brand new Trojan horse (rat) that makes the internet tricks, infecting organizations around the world working in health care and pharmacy.
The researchers in Cybersecurity Morphisec Labs have appointed Resolverrat, and although it was delivered with advanced techniques of obscure and escape of stealth, its distribution is rather ordinary.
The attack begins with the usual phishing email, frightening the victim to make an reckless and reckless decision. The attackers locate emails, in order to improve infection rates, but still throw a relatively wide net. In this spirit, the researchers found phishing emails in Hindi, Italian, Czech, Turkish, Portuguese and Indonesian.
Social disorder
The attachment is deployed via lateral DLL files which, if they are triggered, deposit a charger directly in the memory. The charger, in turn, deploys the payload of final malware – also only in memory.
But this is not the only way that Resolverrat tries to fly under the radar. It uses both encryption and compression and makes an additional effort to persist on target ending points.
“The resolverrat initialization sequence reveals a process of bootstrap on a sophisticated several stages designed for stealth and resilience,” said the researchers, adding that it “implements several redundant persistence methods” through the Windows register.
In the end, Resolverrat settles in different places through the computer.
Other notable features include the use of authentication based on a certificate to bypass the root authorities, an IP rotation system to connect to different C2 servers, certificate pin, obscure of the source code, etc.
“This advanced C2 infrastructure demonstrates the advanced capacities of the threat actor, combining secure communications, rescue mechanisms and escape techniques designed to maintain persistent access while eluding detection by safety surveillance systems,” said Morphisec.
The last time the campaign was observed in nature was in mid-March this year, which could suggest that it is still underway.
The actors of the threat deployment of Resolverrat could be the same people who drop Lumma and Rhadamanthys, because the same deployment mechanisms have been observed in all cases. This could also mean that groups simply used the same phishing kit.
Via The Hacker News
