Full Report
Morphisec discovers a new malware threat ResolverRAT, that combines advanced methods for running code directly in computer memory,…
Analysis Summary
# Tool/Technique: ResolverRAT
## Overview
ResolverRAT is a Remote Access Trojan (RAT) distributed through targeted phishing campaigns, specifically utilizing native language lures to target the healthcare sector. Its primary purpose is to establish persistent remote control over compromised systems.
## Technical Details
- Type: Malware family (Remote Access Trojan/RAT)
- Platform: Not explicitly stated, but typically targets Windows environments given common RAT usage in phishing campaigns.
- Capabilities: Remote control, data exfiltration, persistence establishment.
- First Seen: Not specified in the provided text.
## MITRE ATT&CK Mapping
The deployment mechanism heavily relies on phishing, and the resulting malware provides remote access capabilities.
- **Initial Access (TA0001)**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied via native language lure)
- **Command and Control (TA0011)**
- T1071 - Application Layer Protocol
## Functionality
### Core Capabilities
- Establishment of remote access to the victim's machine.
- Delivery via phishing emails using native language content for increased victim trust.
- Targeting of specific sectors, namely healthcare.
### Advanced Features
- The article highlights the use of *native language phishing* as the primary delivery vector, suggesting social engineering sophistication tailored to local languages.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: [Not provided]
- Registry Keys: [Not provided]
- Network Indicators: [Not provided]
- Behavioral Indicators: [Persistence mechanisms, network beaconing associated with RAT communication, not detailed in the context.]
## Associated Threat Actors
- Threat actors utilizing ResolverRAT are not explicitly named in the provided snippet, but the campaign targeted the healthcare sector.
## Detection Methods
- Signature-based detection: [Not provided]
- Behavioral detection: [Detection of RAT-like outbound connections or file execution following an email interaction.]
- YARA rules: [Not provided]
## Mitigation Strategies
- Prevention measures: User training emphasizing caution regarding attachments and unexpected emails, even if they appear localized or in the native language.
- Hardening recommendations: Strict email filtering rules; implementation of application whitelisting to prevent unauthorized process execution.
## Related Tools/Techniques
- Phishing attacks targeting the healthcare sector.
- Other RATs often distributed via phishing (e.g., Agent Tesla, Remcos, AsyncRAT).