Ddos 
A new remote access trojan (RAT) has emerged, and it’s armed with advanced techniques to evade detection. Morphisec Labs has identified this threat, dubbed “ResolverRAT,” and their analysis reveals a malware that combines in-memory execution, runtime API and resource resolution, and layered evasion capabilities.
Morphisec researchers chose the name ‘Resolver’ due to the RAT’s heavy use of runtime resolution mechanisms and dynamic resource handling. These features significantly complicate both static and behavioral analysis, posing a challenge for security professionals attempting to understand and counter the malware.
ResolverRAT’s initial access relies on social engineering, targeting corporate employees across various countries. The attackers employ phishing emails with fear-based lures designed to pressure recipients into clicking malicious links. These campaigns often exhibit highly localized phishing tactics, using region-specific language and themes to enhance credibility and increase user engagement.
The report highlights the use of localized subject lines in various languages, including Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian. This multi-language approach indicates a globally scoped operation, with threat actors aiming to maximize infection rates through tailored, region-specific targeting.
Morphisec’s report provides a technical deep dive into ResolverRAT, detailing its infection chain, loader internals, evasion techniques, and C2 (Command and Control) infrastructure.
The first stage of the infection operates as a loader, responsible for decrypting, loading, and executing the actual malware payload while employing multiple layers of anti-analysis techniques. This loader follows a structured execution pattern and uses AES-256 encryption to protect its payload. The encryption keys and initialization vectors (IVs) are obfuscated, and the payload is both encrypted and compressed, existing only in memory after decryption.
To further hinder static analysis, ResolverRAT employs string obfuscation, storing strings as numeric IDs and decoding them at runtime. The malware also uses a custom resource reader with integrity validation.
One of ResolverRAT’s standout evasion techniques is its .NET resource resolver hijacking. By registering a custom handler for ResourceResolve events, the malware can intercept legitimate resource requests and inject malicious assemblies, achieving code injection without modifying the PE header or using suspicious API calls.
The report emphasizes the sophistication of ResolverRAT’s payload decryption process, which uses a complex state machine with hundreds of states and transitions. This technique, known as control flow flattening, makes static analysis exceptionally challenging. The state machine incorporates several anti-analysis techniques, including non-sequential state transitions, conditional jumps based on environment checks, dead code, and arithmetic operations to dynamically compute decryption keys.
ResolverRAT implements multiple redundant persistence methods, using registry entries and file system installations in various locations. The malware’s certificate validation bypasses standard certificate validation, using a custom callback to match the server’s certificate against an embedded one. This establishes a private validation chain between the infected system and the C2 server.
The RAT also features a sophisticated IP rotation system for its C2 infrastructure, providing fallback capabilities if the primary C2 server becomes unavailable.
ResolverRAT employs a range of evasion techniques, including:
- Custom protocol over standard ports
- Certificate pinning
- Extensive code obfuscation
- Timer-based connection management with random intervals
- Serialized data exchange using Protocol Buffers (ProtoBuf)
These techniques are designed to help the malware blend in with legitimate traffic, evade network security monitoring, and resist detection through timing and traffic analysis.
ResolverRAT’s C2 configuration includes fields for tracking infected hosts, enabling threat actors to track individual infections, associate victims with authentication tokens, and organize infections by campaign.
Related Posts:
About The Author
