HQ/EMEAFind out how we can help your business
The Hunters International ransomware group leverages a new malware called SharpRhino to target IT workers. Based on reports, the latest malware is a C# remote access trojan (RAT) created to enter business networks.
Researchers explained that the virus allows Hunters International to gain initial infection, elevate their privileges on compromised systems, initiate PowerShell operations, and eventually deploy the ransomware payload.
Moreover, the malware assessment revealed that the threat actors utilised the payload for a ransomware attack by distributing a typosquatted site imitating the website for Angry IP Scanner, a real networking utility used by IT professionals.
Hunters International is a ransomware operation that was established late last year. Various researchers suspect it is a Hive operation rebranded.
The primary vector for spreading the SharpRhino RAT is a digitally signed installer.
According to investigations, the SharpRhino RAT spreads via a digitally signed 32-bit installer, including a self-extracting password-protected 7z package containing further files for the infection.
Next, the installer adjusts the Windows registry to establish persistence and generates a shortcut to Microsoft.AnyKey.exe. The installer includes ‘LogUpdate.bat’, which runs PowerShell scripts on the device to compile C# into memory for stealth malware execution.
Subsequently, the installer generates two directories, ‘C:\ProgramData\Microsoft: WindowsUpdater24’ and ‘LogUpdateWindows,’ for C2 exchange redundancy.
Initial investigation also revealed that the malware includes two hardcoded commands called ‘delay,’ which sets the timer for the subsequent POST request to retrieve a command, and ‘exit,’ which terminates communication.
Analysis reveals that the malware may operate PowerShell on the infected device, which can be used to carry out various hostile tasks. The researchers confirmed the execution by testing the approach and successfully launching the Windows calculator using SharpRhino.
Hunters International’s new strategy of distributing websites that spoof reputable open-source network scanning tools shows that they target IT workers to compromise accounts with enhanced privileges.
Users should be wary of sponsored search results, use ad blockers to obscure these results entirely, and bookmark official project sites to avoid falling victim to malvertising campaigns.
