ResolverRAT is a recently discovered remote access trojan (RAT) that is actively attacking pharmaceutical and healthcare institutions worldwide.
It allows attackers to take control of infected systems, steal sensitive information, and potentially disrupt critical services
What exactly is ResolverRAT?
Before we proceed, we need to understand what is RAT in computer world. RAT (Remote Access Trojan) is a type of malware that attackers use to secretly control an infected computer remotely. Like legit remote-access tools (like TeamViewer or AnyDesk), RATs are stealthy, harmful, and used for cybercrime. It creates a backdoor after infecting the system through which attacker can monitor user activity, steal data, install software, and potentially use the infected machine for further malicious activities. Learn more about RAT at https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-remote-access-trojan.
ResolverRAT was first identified in early 2020 by cybersecurity researchers analyzing malware samples from targeted attacks in South Asia (particularly India and Pakistan). The creator of this malware is still unknown.
How it is delivered to target:
The malware is typically delivered through spear-phishing emails containing malicious attachments or links. These emails are crafted in such a way that they appear legitimate and trustworthy. Once the email is opened and the malicious link or attachment is clicked, the malware infects the system.
ResolverRAT makes use of a technique called DLL side-loading, in which a malicious DLL file placed in the directory of a legitimate application. When the application runs, this malicious DLL also runs with it. This way malware evade traditional antivirus detection by appearing as part of a trusted process.
ResolverRAT also infects through Fake Software Cracks and keygens usually downloaded from shady websites. When users download and run these cracks, they unknowingly execute malware along with the software, giving attackers remote control over the infected computer.
Why Healthcare and Pharma?
Healthcare and Pharma are two sectors that have sensitive information like no other. Infecting these sectors can expose a lot of valuable information, such as patient data, drug research, clinical trial results, intellectual property, and proprietary formulations
Disruption of health care services can be devastating for a country. Bad actors can use this malware to compromise critical medical systems, steal sensitive patient data, manipulate diagnoses, and cause operational paralysis in hospitals, which can cause delayed treatments, loss of life, and widespread public fear.
Indicators of Compromise (IOCs)
ResolverRAT after infecting connects to external C2 servers, logs keystrokes, captures screenshots, and may enable lateral movement across networks.
Following anomalies to be look out for :
- Unusual DLL loads
- Suspicious outbound traffic
- Unauthorized remote desktop connections
Mitigation Techniques
- Staffs are to be educated to identify phishing attempts quickly and accurately.
- Allow only approved applications to run with whitelisting.
- Deploy advanced endpoint protection to block sophisticated threats.
- Monitor systems for suspicious DLL injection behavior.
- Perform regular security audits to detect and fix vulnerabilities.
As cyberattacks become more targeted and sophisticated, it’s hightime for healthcare and pharmaceutical organizations to strenghten defenses, adopt a Zero Trust model, and stay informed about emerging threats like ResolverRAT.
Learn more technical details at https://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/.
