Persistence and stealthy C2 communication: The new RAT employs multiple persistence strategies, including more than 20 obfuscated registry entries and files dropped in multiple folders on disk. The malware keeps a record of which persistence techniques were successful to use them as a fallback mechanism.Communication with the command-and-control (C2) server uses TLS encryption with a custom server certificate validation method that compares the certificate served by the server with one stored internally by the malware program. Multiple IP addresses and port numbers are hardcoded to serve as a fallback if the primary server becomes unresponsive.Connection with the C2 server happens at random intervals to prevent creating a beaconing pattern that network monitoring tools often detect. The communication protocol also uses data serialization to make traffic inspection more challenging. Infected systems are tracked and organized by campaigns and each victim has a unique authentication token generated by the system.”The alignment in payload delivery mechanisms, artifact reuse, and lure themes indicates a possible overlap in threat actor infrastructure or operational playbooks, potentially pointing to a shared affiliate model or coordinated activity among related threat groups,” the Morphisec researchers said.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3963186/new-resolverrat-malware-targets-healthcare-and-pharma-orgs-worldwide.html
