- Security researchers detect a new Trojan called Solorat
- Comes with advanced mechanisms for obfuscation and persistence
- It goes to medical and pharmaceutical care organizations worldwide
There is a new remote access Trojan (Rat) that performs rounds on the Internet, infecting organizations around the world that work in medical and pharmacy care.
Cybersecurity researchers Morphisec Labs called him solvingrat, and although it comes with advanced obfuscation and sigilo evasion techniques, its distribution is quite ordinary.
The attack begins with the usual phishing email, scaring the victim to make an reckless and reckless decision. The attackers located the emails, in an attempt to improve infection rates, but are still launching a relatively wide network. With that, in mind, the researchers found pHishing emails in Hindi, Italian, Czech, Turkish, Portuguese and Indonesian.
Social disorder
The attached file is implemented through DLL files loaded with lateral that, if activated, release a charger directly in memory. The charger, in turn, implements the final malarware payload, also only in memory.
But that is not the only way to solve tries to fly under the radar. It uses both encryption and compression and makes an additional effort to persist at the final points of destination.
“The Solorat initialization sequence reveals a sophisticated starting process in several stages designed for stealth and resilience,” the researchers said, adding that “implements multiple redundant persistence methods” through the Windows Registry.
Ultimately, Resolorat is installed in different locations on the computer.
Other notable features include the use of certificate -based authentication to avoid root authorities, an IP rotation system to connect to different C2 servers, certificate fixation, source code obfuscation and more.
“This advanced C2 infrastructure demonstrates the advanced abilities of the threat actor, which combines safe communications, backward mechanisms and evasion techniques designed to maintain persistent access while evading detection by security monitoring systems,” Morphisec said.
The last time the campaign was observed in nature was in mid -March of this year, which could suggest that it is still ongoing.
The threat actors who deployed solving could be the same as the same Lumma and Rhadamanthys fall, since the same deployment mechanisms were observed in all cases. It could also mean that groups were simply using the same Phishing kit.
Through The hacker news
