The cyber threat landscape continues to evolve, and the Hunters International ransomware group has emerged as a formidable player. This group is now targeting IT workers with a newly developed C# remote access trojan (RAT) named SharpRhino, aiming to infiltrate and compromise corporate networks.
SharpRhino is a sophisticated piece of malware designed to facilitate the initial breach, escalate privileges on infected systems, execute PowerShell commands, and ultimately deploy ransomware. The discovery of this malware by Quorum Cyber researchers reveals that it is distributed through a typosquatting site mimicking the legitimate Angry IP Scanner website, a popular networking tool among IT professionals.
The Modus Operandi of Hunters International
Launched in late 2023, Hunters International is suspected to be a rebranded version of the Hive ransomware group due to striking code similarities. The group has already made a name for itself by targeting prominent organisations, including U.S. Navy contractor Austal USA, Japanese optics giant Hoya, Integris Health, and the Fred Hutch Cancer Center. Their actions demonstrate a blatant disregard for ethical boundaries.
In 2024 alone, Hunters International has claimed responsibility for 134 ransomware attacks worldwide, excluding the CIS region, making it the tenth most active ransomware group currently in operation.
Technical Analysis of SharpRhino
SharpRhino is disseminated as a digitally signed 32-bit installer named 'ipscan-3.9.1-setup.exe'. This installer contains a self-extracting, password-protected 7z archive with additional files that facilitate the infection process. Once executed, the installer modifies the Windows registry for persistence and creates a shortcut to Microsoft.AnyKey.exe, a legitimate Microsoft Visual Studio binary that is exploited in this attack.
Furthermore, the installer drops 'LogUpdate.bat', a batch file that runs PowerShell scripts on the compromised device to compile C# code into memory, ensuring the malware's stealthy execution. To maintain redundancy, it creates two directories, 'C:\ProgramData\Microsoft: WindowsUpdater24' and 'LogUpdateWindows', both used for command and control (C2) communication.
SharpRhino's hardcoded commands, 'delay' and 'exit', control the timing of the next POST request and terminate communication, respectively. The malware's capability to execute PowerShell commands on the host system poses significant risks, enabling a wide range of malicious activities.
Protective Measures and Recommendations
The tactic of using fake websites to distribute malware underscores the importance of vigilance among IT professionals. To mitigate such threats, it is crucial to:
Avoid Malvertising: Be wary of sponsored links in search results. Use ad blockers to eliminate these risks and ensure you're accessing legitimate websites.
Bookmark Official Sites: Maintain a list of trusted project sites to download safe installers.
Backup and Update: Implement a robust backup strategy, perform network segmentation, and keep all software updated to minimise opportunities for privilege escalation and lateral movement.
To Sum Up
Hunters International's new SharpRhino malware represents a significant threat to IT workers and the organisations they protect. By understanding their tactics and implementing strong cyber security practices, we can collectively thwart their efforts and safeguard our digital environments.
