海角社区

ResolverRAT Targeting Pharmaceutical and Healthcare Organizations

Cybersecurity firm Morphisec has issued a warning about a new malware strain called ResolverRAT, which has been seen recently in attacks on healthcare and pharmaceutical organizations.

Remote Access Trojans [RATs] are a type of malware disguised as legitimate software designed to give hackers unauthorized access to a victim鈥檚 computer. This access can take the form of viewing, modifying, deleting files; monitoring device activity such as keystrokes, screen content, webcam, or mic; and installing more malware to further compromise the system.

ResolverRAT is very advanced, using in-memory execution, layered evasion techniques, and runtime resolution mechanisms. It spreads through phishing emails, often referencing legal or copyright issues.
Once a user clicks the link and downloads the file, ResolverRAT runs through a process called DLL hijacking to infect the system. It鈥檚 payload is compressed and encrypted with AES-256. One decrypted, it stays hidden by existing only in memory

Learn more about how ResolverRAT works and what it鈥檚 being used to do .

CVE Program Cuts; MITRE Extended 11 Months

The Cybersecurity and Infrastructure Security Agency [CISA] has extended its government contract with MITRE for another 11 months, after nearly allowing its contract with MITRE to maintain the Common Vulnerabilities and Exposures [CVE] and related programs to expire on April 16th.

One such related program includes the Common Weakness Enumeration [CWE] program, that lists software and hardware weaknesses, helping organizations and individuals understand and address vulnerabilities at a deeper, structural level. The CWE program highlights known flaws in software design, implementation, and configuration, and presents it all to create a roadmap for improving security practices and reducing or mitigating future risk.

Meanwhile, the CVE program focuses on identifying, defining, and cataloging publicly disclosed cybersecurity vulnerabilities. Each CVE entry contains standardized information on a specific vulnerability including its severity, affected systems, and mitigation strategies. This allows for professionals to assess the relevance of known vulnerabilities in their environment, prioritize patching and updates, and stay informed of the latest disclosed threats.

Both of these programs make it easier to manage and understand vulnerabilities, facilitating faster identification of weaknesses, improved risk management, and contributes immensely to broader cybersecurity community by sharing this important knowledge. The widespread use of these programs underscore their importance, described in a LinkedIn post by former CISA director Jen Easterly as the 鈥淒ewey Decimal System for cybersecurity.鈥�

Moving forward, MITRE may need to get funding from the private sector, a possibility the CVE board has already been working on for over a year鈥攕tarting a new CVE Foundation to supply it.

AI Facilitates More Believable Scams, Some Tips from ZDNET to Avoid Them

Generative AI has made it much easier to create convincing text and images, which threat actors have been able to successfully leverage in their workflows.

Microsoft鈥檚 Cyber Signals Report discloses a sharp rise in AI-powered scams, identifying two major attack vectors:

• E-commerce fraud: fake websites that are eerily similar to legitimate ones, featuring AI-generated content such as images, product descriptions, and reviews.
• Job and employment fraud: fake listings across job platforms use generated content, with some also using phishing campaigns facilitated by AI.

DKIM Replay Attack Used to Spoof Google

Threat actors have pulled off a convincing scam by spoofing Google using a DKIM Replay Attack. DomainKeys Identified Mail [DKIM] is an email security standard designed to prove that an email comes from the claimed sender鈥檚 domain and hasn鈥檛 been tampered with. It works by giving specific headers and the body of the message a digital signature- generated with the sender鈥檚 private key- at the time it鈥檚 sent.

The malicious email came from a real Google address, passed the standard DKIM, DMARC, and SPF security checks, had no typos, and contained no suspicious links. The email claimed a law enforcement subpoena needed access to the user鈥檚 Google Account, linking to a Google Sites page designed to mimic a Google support portal. This Sites page is where they were able to harvest credentials鈥攊f their target clicked a button, waited to be redirected to a fake Google login page, and entered their Google Account credentials to log in when prompted.

How the Attack Worked

1. Create Google account and a Google OAuth Application
   The threat actor created a new Google account 鈥渕e@<domain>鈥� and used it to register a Google OAuth account鈥攏aming the app with the full phishing message itself.
   Next, they granted their OAuth app access to their new account鈥攚hich generated the 鈥楽ecurity Alert鈥� message from Google. This system-generated email came from Google and was DKIM-signed.
2. Copy a legitimate Google email
   The threat actor saved the headers and content of the email they generated. Since they didn鈥檛 modify anything signed by the DKIM, it remained intact.
3. Forward the email from Outlook
   The threat actor replays the signed message by forwarding the same email from Outlook. Forwarding a message doesn鈥檛 change the DKIM signature, allowing it to bypass security filters, and creating the appearance that the email comes from the real Google email address 鈥�[email protected]鈥�. It also still passed DMARC checks鈥攎aking it look legitimate to filters.
4. Relay message through Jellyfish SMTP
   The email passed through Microsoft and was relayed to Jellyfish SMTP [Simple Mail Transfer Protocol], helping to further obscure its true origin.
5. Forward message through Namecheap鈥檚 PrivateEmail
   The email passed to Namecheap鈥檚 PrivateEmail, making use of their mail forwarding service. A new DKIM signature is added to the email. This is likely why the email will have a 鈥淪igned by鈥� header from Google, but a 鈥淢ailed by鈥� header from “fwd-04-1.fwd.privateemail[.]com”.
6. Deliver email to target Google Account user through Gmail
   The spoofed email is delivered to the target鈥檚 Gmailinbox, put in the same conversation as other- real- security alerts, and is shown in Gmail without any warnings.
   As a result of the threat actor naming their account 鈥渕e@<domain>鈥�, they manage to trick Gmail into showing that the message was sent to 鈥渕e鈥� at the top of the message.
7. Leverage sites.google[.]com to harvest credentials
   The email contained a link to a sites.google[.]com page that imitated the actual Google Support page. Clicking any button on the page redirected the user to a fake Google Account sign-in page. This fraudulent sign-in page was used to harvest credentials to real Google Accounts. If the user 鈥渟igned in鈥�, they inadvertently gave their Google Account credentials to the threat actor.

Lessons Learned

Phishing attempts often create urgency, fear, or appeal to authority to seem more credible. If an email seems unusual or triggers a strong emotional response, don鈥檛 click any links鈥攑ause, review it carefully, verify the source, or report it.