Healthcare and pharmaceutical organizations around the world have been subjected to an attack campaign involving the new and advanced ResolverRAT malware, the most recent of which was observed in early March, reports The Hacker News.
Threat actors delivered phishing emails with legal investigation or copyright violation themes in Czech, Hindi, Indonesian, Italian, Portuguese, and Turkish that leverage DLL side-loading to facilitate a multi-stage process leading to the eventual execution of ResolverRAT, an analysis from Morphisec Labs revealed. Aside from establishing command-and-control server communications following custom certificate-based authentication usage, ResolverRAT also features an IP rotation system and several other capabilities that allow the concealment of malicious activities. Despite not being linked to a specific nation-state or threat operation, such a campaign was similar to previous phishing operations that spread the Lumma and Rhadamanthys information-stealing payloads, suggesting a shared affiliate model, said Morphisec Labs. Such findings follow the emergence of Neptune RAT, which was reported by CYFIRMA to have been distributed via Telegram, YouTube, and GitHub.
Threat actors delivered phishing emails with legal investigation or copyright violation themes in Czech, Hindi, Indonesian, Italian, Portuguese, and Turkish that leverage DLL side-loading to facilitate a multi-stage process leading to the eventual execution of ResolverRAT, an analysis from Morphisec Labs revealed. Aside from establishing command-and-control server communications following custom certificate-based authentication usage, ResolverRAT also features an IP rotation system and several other capabilities that allow the concealment of malicious activities. Despite not being linked to a specific nation-state or threat operation, such a campaign was similar to previous phishing operations that spread the Lumma and Rhadamanthys information-stealing payloads, suggesting a shared affiliate model, said Morphisec Labs. Such findings follow the emergence of Neptune RAT, which was reported by CYFIRMA to have been distributed via Telegram, YouTube, and GitHub.
