NEWS The Most Educated Virus: ResolverRAT Speaks Six Languages and Masters the Art of Disappearing

Doni

Moderator
Staff member
Moderator
BFD Member
ULTIMATE
Local
Active Member
Joined
Jan 17, 2025
Messages
245
Reaction score
410
Deposit
1,000$
Telegram
Telegram
It dissolves into the system faster than a tablet in a glass of water.
1744722537183.png

Cybersecurity researchers from Morphisec have discovered a new remote access trojan (RAT) called ResolverRAT, actively used in attacks targeting medical and pharmaceutical organizations. This malware campaign stands out due to its well-designed infrastructure and advanced stealth capabilities, making it especially dangerous for organizations handling sensitive data.


The primary infection vector is phishing emails, crafted around alarming scenarios involving investigations or copyright violations. These emails create a sense of urgency and prompt recipients to click on malicious links. Opening the attached file triggers the execution chain of ResolverRAT, leveraging DLL sideloading. The malicious code never touches the disk — it resides solely in memory, making detection significantly more difficult.


The campaign is international in scope: attackers tailor phishing emails to the languages of target countries, including Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian. This regionalization strategy aims to increase infection rates by making the bait appear more legitimate and locally relevant.


Technically, ResolverRAT employs a complex multi-stage loader and robust persistence mechanisms. In addition to embedding itself in the registry and file system, it uses a unique authentication scheme via certificates, allowing it to bypass system root certificate authorities. The malware also implements C2 server IP rotation, ensuring continuous operation even if primary communication channels are blocked.


To avoid analysis, the trojan uses certificate pinning, code obfuscation, and non-standard communication intervals with its command-and-control (C2) server. It also splits data transfers larger than 1 MB into 16 KB fragments, making traffic harder to detect through standard monitoring tools.


Morphisec researchers have noted similarities to previous phishing campaigns distributing Lumma and Rhadamanthys malware. Overlapping infrastructure and delivery methods suggest collaboration between different threat groups or the use of an affiliate-based distribution model.


Meanwhile, cybersecurity experts at CYFIRMA have reported another RAT malware called Neptune RAT. Unlike ResolverRAT, Neptune RAT is freely distributed via GitHub, Telegram, and YouTube. It follows a modular architecture and includes features such as a cryptocurrency clipper, password theft from over 270 applications, real-time desktop monitoring, a file encryptor, and even a Master Boot Record (MBR) rewriter module that can disrupt system boot.


Neptune RAT also employs anti-analysis techniques and maintains long-term persistence within infected systems. Its broad functionality and open availability make it a serious threat across a wide range of targets.
 
Register
Top