Hunters International, a formidable ransomware-as-a-service (RaaS) group, has deployed a sophisticated new remote access trojan (RAT) known as SharpRhino. Quorum Cyber researchers who discovered the new malware report that this malware, written in C#, specifically targets IT professionals by impersonating the legitimate Angry IP Scanner tool through typosquatting domains. Hunters International uses this approach to breach corporate networks, gain elevated privileges, execute PowerShell commands, and ultimately deploy ransomware.
Detailed Breakdown of SharpRhino RAT
Initial Infection and Dissemination: SharpRhino is distributed via a typosquatting site that mimics the official website for Angry IP Scanner, a popular open-source networking tool used by IT professionals. The malware is delivered as a digitally signed 32-bit installer named ‘ipscan-3.9.1-setup.exe’. This installer includes a self-extracting password-protected 7z archive, which, upon execution, modifies the Windows registry for persistence.
Persistence and Execution: The installer creates a shortcut to ‘Microsoft.AnyKey.exe’, a Microsoft Visual Studio binary. This shortcut executes ‘LogUpdate.bat’, which runs PowerShell scripts to compile C# code directly into memory. This technique allows for stealthy execution of the malware. For redundancy, SharpRhino establishes two directories: ‘C:\ProgramData\Microsoft: WindowsUpdater24’ and ‘LogUpdateWindows’. These directories facilitate multiple channels for command and control (C2), ensuring continued operation even if one directory is discovered and removed.
Capabilities and Actions: SharpRhino includes hardcoded commands such as ‘delay’ to set the timer for the next POST request and ‘exit’ to terminate communication. It allows attackers to execute PowerShell commands on the compromised host, enabling various malicious actions. Quorum Cyber researchers demonstrated this capability by launching the Windows calculator via SharpRhino.
Evolution of Hunters International: Hunters International emerged in late 2023 and is suspected to be a rebrand of Hive ransomware due to code similarities. The group has quickly ascended to become one of the top ransomware operators, leveraging SharpRhino for initial access and persistence before deploying Hive ransomware. They have claimed responsibility for 134 attacks in the first seven months of 2024, targeting organizations across the Americas, Europe, and Australia, while avoiding the Commonwealth of Independent States (CIS), suggesting possible ties to Russia.
Ransomware Deployment: Upon gaining access, Hunters International exfiltrates data from victim organizations before encrypting files. They change file extensions to .locked and leave a README message that directs victims to a Tor chat portal for payment instructions. The encryptor, coded in Rust, showcases advanced design and security features, making it resistant to reverse engineering.
Notable Victims and Impact:
Hunters International has targeted high-profile organizations, including:
- Austal USA: A U.S. Navy contractor.
- Hoya: A Japanese optics giant.
- Integris Health: A major healthcare provider.
- Fred Hutch Cancer Center: Highlighting the group’s lack of ethical boundaries.
Mitigation Strategies:
Organizations should adopt several measures to counteract the threat posed by SharpRhino and similar malware:
- Avoid Malvertising: Be cautious of sponsored search results and employ ad blockers to hide these results entirely.
- Bookmark Official Sites: Ensure the use of official project sites to procure software installers.
- Backup Plan: Implement a comprehensive backup strategy to recover data in case of an attack.
- Network Segmentation: Divide the network into segments to limit the spread of malware.
- Software Updates: Regularly update all software to mitigate vulnerabilities that could be exploited for privilege escalation and lateral movement.
Technical Details:
SharpRhino’s installer uses the Nullsoft Scriptable Install System (NSIS) and modifies the Windows registry at the ‘Run\UpdateWindowsKey’ to ensure persistence. The installation creates two directories for redundancy, ‘WindowsUpdater24’ and ‘LogUpdateWindows’, enabling sustained command and control communication. The malware’s purpose is to maintain persistence and control over targeted systems, facilitating sophisticated ransomware attacks for financial gain.
Indicators of Compromise (IoCs):
Quorum Cyber provided a list of IoCs for SharpRhino, including specific registry modifications and directory creations. These indicators help organizations detect if network administrators have accidentally downloaded the RAT instead of the legitimate tool.
Mitre ATT&CK Mapping:
The RAT’s defense and evasion tactics, privilege escalation, execution, persistence, and command and control processes are mapped to the Mitre ATT&CK framework. This mapping provides a comprehensive understanding of SharpRhino’s capabilities and the threat it poses to organizations.
In conclusion, Hunters International’s deployment of SharpRhino represents a significant evolution in ransomware tactics, targeting IT professionals to gain elevated access and persist within corporate networks. Organizations must adopt robust cybersecurity practices to mitigate the risks associated with such sophisticated threats. Cybersecurity consulting companies play a crucial role in helping organizations develop and implement effective defense strategies to counter these advanced threats.