ResolverRAT is a newly discovered remote access trojan (RAT) that features sophisticated in-memory execution, runtime API and resource resolution, and advanced evasion techniques. Named by Morphisec researchers for its reliance on dynamic resolution mechanisms, ResolverRAT presents significant challenges for static analysis and behavior detection.
Introduction
Unlike other trojans like Rhadamanthys and Lumma, which have been documented in previous reports by CheckPoint and Cisco Talos, ResolverRAT is a novel malware variant. Its distinct loader and payload architecture, despite overlapping delivery mechanisms and phishing themes, classified it as a separate malware family. Recent attacks observed by Morphisec were notably targeted at the healthcare and pharmaceutical sectors on March 10, 2025, reinforcing the need for awareness about ResolverRAT.
Technical Details
ResolverRAT employs intricate methods for infection, emphasizing social engineering as a primary entry point. The threat actors behind this malware utilize fear-based phishing emails tailored to specific regions, maximizing their effectiveness. Email lures suggest alarming legal themes, enticing targeted individuals to click malicious links, which then initiate the trojan’s execution.
The phishing effort is highly localized, with emails translated into the native languages of targeted countries, making them more convincing. Examples of phished subject lines in various languages include references to investigations and copyright violations, illustrating a concerted effort to manipulate potential victims based on cultural context.
Threat Relations & Intelligence
The malware’s delivery mechanism uses a classic DLL side-loading technique, employing a legitimate executable (hpreader.exe) known to be susceptible to hijacking. The concurrent usage of this executable across different malware indicates possible shared resources or techniques among threat actors. The consistency in naming conventions used in phishing emails and package archives further suggests coordinated activities across related malware campaigns.
In-Memory Loader and Core Architecture
ResolverRAT functions with an in-memory loader meant to decrypt, load, and execute its payload while employing various anti-analysis methods. Its architecture is deliberately complex, utilizing layered encryption (AES-256) and obfuscation techniques to protect its payload, which only exists in memory post-decryption.
The trojan’s obfuscation employs a unique method whereby strings are stored numerically and only decoded at runtime. This not only complicates static analysis efforts but also protects its operational integrity through layers of encryption and compression.
C2 Infrastructure
The control and command (C2) structure of ResolverRAT is resilient, enabling the malware to maintain persistent connections and evade detection. Specific features include certificate-based authentication to bypass conventional SSL inspection and a sophisticated IP rotation system for fallback. This design ensures a robust and redundant connection mechanism between the trojan and its C2 infrastructure.
Evasion Techniques
ResolverRAT integrates a range of evasion techniques, such as using standard ports for communication while maintaining custom protocols to disguise its activities within legitimate traffic. Additionally, it employs extensive code obfuscation and employs random intervals for connection attempts, complicating detection through timing analysis.
The malware’s command processing pipeline is architected for multi-threading and robust error handling, enhancing its resilience against disruptive events during operations. Furthermore, advanced packet serialization through Protocol Buffers challenges traffic analysis due to its efficiency.
Victim Tracking and Execution Control
ResolverRAT also has a sophisticated victim tracking framework, allowing threat actors to manage infected hosts effectively. This comprises keeping detailed records of infected devices and associating them with unique tokens.
Morphisec’s Countermeasures
Morphisec offers defenses through its Automated Moving Target Defense (AMTD), which proactively obstructs sophisticated threats like ResolverRAT from infiltrating systems. Their technology focuses on preventing attacks from the initial stages, thus outpacing traditional detection capabilities that the ResolverRAT has adeptly evaded.
For organizations, leveraging Morphisec’s advanced defenses and proactive approaches could significantly mitigate the risks associated with sophisticated malware attacks.
Indicators of Compromise (IOCs)
For detection purposes, specific SHA256 hashes and C2 IPs/ports related to ResolverRAT provide valuable intelligence for security professionals working to combat this evolving threat landscape.
In conclusion, ResolverRAT exemplifies the increasing sophistication of malware, showcasing advanced operational capabilities that require proactive and layered defense strategies to mitigate potential risks efficiently.