Full Report
A new remote access trojan (RAT) called 'ResolverRAT' is being used against organizations globally, with the malware used in recent attacks targeting the healthcare and pharmaceutical sectors. [...]
Analysis Summary
# Tool/Technique: ResolverRAT
## Overview
ResolverRAT is a new piece of malware observed targeting pharmaceutical and healthcare organizations globally. It is notable for operating largely within managed memory (.NET mechanism) to circumvent traditional security monitoring focused on Win32 API and file system operations. It utilizes complex obfuscation and anti-analysis techniques.
## Technical Details
- Type: Malware family
- Platform: Windows (Implied by use of Registry, Startup, Program Files, LocalAppData)
- Capabilities: Remote access, data exfiltration (chunked), persistence via registry and filesystem, anti-analysis/sandbox detection.
- First Seen: Not explicitly stated in the provided text, but described as "New".
## MITRE ATT&CK Mapping
*Note: Based on observed functionality, specific, definitive mappings without full analysis are estimations.*
- TA0001 - Initial Access
- TA0003 - Persistence
- T1547.001 - Registry Run Keys / Startup Folder
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (via XOR-obfuscation and control flow obfuscation)
- T1484.001 - Domain Trust Discovery (Implicit in C2 communication planning, but not confirmed)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (via chunking mechanism)
## Functionality
### Core Capabilities
- **Managed Memory Execution:** Operates primarily in managed memory (.NET mechanisms) to bypass monitoring focused on Win32 API and file system activity.
- **Persistence:** Achieves persistence by adding XOR-obfuscated keys to up to 20 locations in the Windows Registry, and by placing copies in `Startup`, `Program Files`, and `LocalAppData` directories.
- **Command and Control (C2):** Connects to C2 servers at randomized, scheduled intervals to evade detection based on regular beaconing patterns.
- **Multi-threading:** Executes every received command in a dedicated thread, allowing parallel task execution and preventing one failed command from crashing the entire malware instance.
### Advanced Features
- **Anti-Analysis/Sandbox Evasion:** Detects sandbox and analysis tools by fingerprinting resource requests.
- **Obfuscation:** Uses a complex state machine to obfuscate control flow, making static analysis difficult. It also employs misleading and redundant code operations during execution to complicate analysis even when debugging tools are present.
- **Chunked Data Exfiltration:** For files larger than 1MB, data is split into 16KB chunks for transfer.
- **Resilient Data Transfer:** Features optimal error handling and data recovery, automatically resuming transfers from the last successfully sent chunk if a socket is not ready or the network is unstable.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: [Not provided]
- Registry Keys: XOR-obfuscated keys added to up to 20 locations (Persistence mechanism)
- Network Indicators: [Not provided, but communication uses randomized intervals]
- Behavioral Indicators:
- Exploiting .NET mechanisms to operate in managed memory.
- Fingerprinting system resources to detect analysis tools.
- Establishing persistence in `Startup`, `Program Files`, and `LocalAppData`.
- Transferring large exfiltrated files in 16KB chunks.
## Associated Threat Actors
- Unknown (The article mentions phishing campaigns in Italian, Czech, Hindi, Turkish, Portuguese, and Indonesian, indicating a global scope, but does not name a specific threat group.)
## Detection Methods
- Signature-based detection: Likely requires signatures targeting the specific .NET behavior and obfuscated strings/structures.
- Behavioral detection: Monitoring for execution predominantly within managed memory space, C2 beaconing at randomized intervals, and attempts to write to numerous registry persistence locations.
- YARA rules: Could be developed based on unique obfuscated control flow states or specific managed code patterns.
## Mitigation Strategies
- **Managed Code Monitoring:** Implement security controls capable of monitoring and analyzing activity occurring entirely within managed memory environments (.NET runtime) rather than relying solely on Win32 API or filesystem monitoring.
- **Entropy Analysis/Heuristics:** Analyze for highly obfuscated control flows and redundant code execution patterns indicative of anti-analysis measures.
- **Network Monitoring:** Profile and baseline C2 beaconing patterns; flag connections occurring at unusual, highly randomized intervals across many different endpoints.
- **Persistence Auditing:** Aggressively audit writes to the Windows Registry (especially Run keys) and monitoring the addition of files to system/user startup locations.
## Related Tools/Techniques
- Other .NET-based malware families that favor in-memory operations.
- Malware employing variable interval beaconing to thwart anomaly-based network detection.