New ResolverRAT malware targets healthcare and pharma orgs worldwide

Posted on by

Security researchers have observed a new malware payload deployed in attacks against the healthcare and pharmaceutical sectors. Dubbed ResolverRAT, the remote access Trojan features in-memory execution and sophisticated anti-analysis and payload encryption techniques.

ResolverRAT has been distributed through phishing emails with malicious attachments that use fear-based lures mentioning copyright infringement, various legal violations, and ongoing investigations. The emails are localized in multiple languages, including English, Hindi, Italian, Indonesian, Turkish, Portuguese, and Czech, indicating the global scale of the campaign.

“While recent reports by Check Point and Cisco Talos have attributed similar phishing infrastructure and delivery mechanisms to campaigns distributing Rhadamanthys and Lumma respectively, the RAT observed in Morphisec Threat Labs’ incident investigations appears to be previously undocumented,” Morphisec researchers wrote in their report released Monday. “Despite clear overlaps in payload delivery, email lure themes, and even binary reuse, this variant introduces a distinct loader and payload architecture that warranted classification as a new malware family.”