SharpRhino RAT
The Hunters International Ransomware group has developed a new C# Remote Access Trojan (RAT) named SharpRhino to target I.T. workers and infiltrate corporate networks. This malware facilitates initial infection, privilege escalation on compromised systems, execution of PowerShell commands and ultimately the deployment of ransomware.
Cybersecurity researchers have identified that the malware is being spread through a typosquatting site that mimics the website of Angry I.P. Scanner, a popular networking tool used by I.T. professionals.
Table of Contents
Possible Rebrand of Previous Cybercrime Group
The Hunters International, a ransomware operation launched in late 2023, is suspected to be a rebrand of Hive due to similarities in their code. Among its notable victims are Austal USA, a U.S. Navy contractor, Japanese optics giant Hoya, Integris Health, and the Fred Hutch Cancer Center, highlighting the group's disregard for ethical boundaries.
In 2024, the group claimed responsibility for 134 ransomware attacks on organizations worldwide (excluding those in the CIS region), making it the tenth most active ransomware group this year.
How Does the SharpRhino RAT Operate?
SharpRhino is distributed as a digitally signed 32-bit installer ('ipscan-3.9.1-setup.exe') that includes a self-extracting, password-protected 7z archive containing additional files necessary for the infection process. Upon installation, the software alters the Windows registry for persistence and creates a shortcut to Microsoft.AnyKey.exe, a Microsoft Visual Studio binary that is misused in this context.
The installer also drops 'LogUpdate.bat,' which runs PowerShell scripts on the device to compile C# code into memory, enabling stealthy malware execution. For redundancy, the installer creates two directories: 'C:\ProgramData\Microsoft: WindowsUpdater24' and 'LogUpdateWindows,' both of which are utilized for command and control (C2) communication.
The malware has two hardcoded commands: 'delay,' which sets the timer for the next POST request to retrieve a command, and 'exit,' which terminates its communication. Analysis reveals that the malware can execute PowerShell commands on the host, allowing it to perform various harmful actions.
Cybercriminals Use Fake Sites Imitating Legitimate Tools
The Hunters International has adopted a new strategy of using websites that mimic legitimate open-source network scanning tools to target I.T. professionals, aiming to breach accounts with elevated privileges.
Users should be cautious of sponsored search results to avoid malvertising, use ad blockers to prevent these results from appearing, and bookmark official project sites known for providing safe installers. To weaken the impact of ransomware attacks, implement a robust backup plan, practice network segmentation, and keep all software up to date to minimize opportunities for privilege escalation and lateral movement.
