Healthcare Orgs Targeted with Malware Campaign Distributing Stealthy New RAT
Healthcare organizations and pharmaceutical companies are being targeted in a malware campaign involving ResolverRAT, a recently discovered stealthy remote access trojan. The malware is being delivered via phishing emails purporting to be notices about copyright violations and other legal issues that create a false sense of urgency.
The phishing emails include a hyperlink that directs the user to a legitimate signed executable – hpreader.exe – with the malware delivered through DLL side-loading, injecting ResolverRAT into the memory. The malware abuses .NET ‘ResourceResolve’ events to load malicious assemblies without API calls that could be detected. Since ResolverRAT runs entirely in the memory, it can evade traditional security solutions such as antivirus and endpoint detection software that are focused on Win32 API and file system operations.
The malware was identified by researchers at Morphisec, who note that the phishing infrastructure used by the threat actor has previously been used to deliver the Rhadamanthys and Lumma information stealers. The malware achieves persistence through the addition of XOR-obfuscated keys on up to 20 locations in the Windows registry and also adds itself to multiple filesystem locations, including StartUp, LocalAppData, and Program Files.
The malware connects to its command-and-control server at random intervals to evade pattern-based detection methods, communications are secured with a custom certificate validation process bypassing root authorities, and obfuscated IP rotation and custom protocols on standard ports allow communications to blend in with normal traffic. Further, for data exfiltration, files larger than 1MB are split into smaller chunks to blend in with normal traffic patterns.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
According to Morphisec, the sophistication of the malware suggests the campaign is being conducted by a threat actor of the highest level, with the researchers describing ResolverRAT as malware evolution at its finest. It has not yet been possible to attribute the campaign to any specific threat actor. The researchers suggest security awareness training for the workforce to improve awareness of phishing, behavior-based endpoint protection solutions, and regular audits to identify unusual memory activity.
“To tackle such threats, organizations should leverage proper privilege management controls. A user should not be allowed to install any piece of software or to run an executable. If there is a need for a new application, a defined process should be in place to allow that. Such guardrails restrict users from unintentionally jeopardizing the organization’s security, but still provide bandwidth to operate and perform their primary functions,” explained Dirk Schrader, Field CISO EMEA and VP of Security Research at Netwrix. “Of course, awareness training should be in place as well, but we all know that stress and urgency are the enemy of awareness, that’s why removing unnecessary privileges like local admin rights on the endpoints is one of the most effective ways to mitigate the risk of malicious installations.”
