- Security scientists find a new Trojan called resolverrat
- It comes with advanced blur and persistence mechanisms
- It is targeted at healthcare and pharma organizations all over the world
There is a whole new remote access Trojan (Rotte) that makes rounds on the Internet, infecting organizations around the world that work in healthcare and pharmacy.
CyberSecurity -Scientists Morphisec Labs named it resolverrat, and although it comes with advanced blur and stealth evasion techniques, its distribution is pretty common.
The attack starts with the usual phishing -e email and scares the victim to make a rash, reckless decision. The attackers locate E emails in an attempt to improve the infection rates, but still throw a relatively wide network. With that in mind, researchers found phishing -e emails in Hindi, Italian, Czech, Turkish, Portuguese and Indonesian.
Social suffering
The attachment is implemented via side-loaded DLL files which, if triggered, release a loader directly in memory. The loader, on its side, exposes the final malware -new load – also only in memory.
But that’s not the only way resolverrat tries to fly under the radar. It uses both encryption and compression and goes the extra kilometer to continue on the target endpoints.
“Resolverrat’s initialization sequence reveals a sophisticated, multi-stage bootstrapping process designed for stealth and resilience,” the researchers said, adding that it “implements more superfluous persistence methods” through the Windows register.
Ultimately, resolverrat installs itself in different places across the computer.
Other notable features include using certificate-based approval to bypass root authorities, an IP rotation system to connect to various C2 servers, certificate pinning, source code connection and more.
“This advanced C2 infrastructure demonstrates the advanced capabilities of the threat actor combining safe communication, relapse mechanisms and evasion techniques designed to maintain sustained access while avoiding detection of security monitoring systems,” Morphisec said.
The last time the campaign was observed in nature was in mid -March this year, which might suggest that it is still underway.
The threat actors implementing resolverrat could be the same who drop lumma and rhadamanthys as the same implementation mechanisms were seen in all cases. It could also mean that the groups simply used the same phishing kit.
Via Hacker the news
