Hunters International Disguises SharpRhino RAT as Legitimate Network Admin Tool

  /     /     /  
Publicated : 23/11/2024   Category : security


Hunters International Disguises SharpRhino RAT as Legitimate Network Admin Tool


The RaaS group that distributes Hive ransomware delivers new malware impersonating as validly signed network-administration software to gain initial access and persistence on targeted networks



An emerging threat group thats made a meteoric rise to the top of the ransomware food chain has a new tool in its arsenal with a novel remote access Trojan (RAT). The group is using the tool in attacks that appear to be targeting IT professionals.
Researchers from Quorum Cyber
revealed
in a recent blog post that Hunters International, active since last October, is deploying
Hive ransomware
. The group uses the new malware, dubbed SharpRhino, first to gain access to targeted infrastructure and then to establish persistence and allow attackers to maintain remote access to the device.
SharpRhino compromises systems disguised as the open source network-administration tool Angry IP Scanner through typosquatting domains. Because Angry IP Scanner is open source, attackers can abuse and misuse valid code-signing certificates to make it look like a network admin is downloading software that has a valid certificate but instead is installing the malware, according to the post.
Upon execution, SharpRhino establishes persistence and provides the attackers with remote access to the device, which they then use to launch a typical ransomware attack using Hive ransomware. Hunters International acquired the malware from its original owners, a group that disbanded after it was
taken out
by international law enforcement soon after its inception.
Using previously unseen techniques, the malware is able to obtain a high level of permission on the device in order to ensure the attacker is able to further their targeting with minimal disruption, Quorum Cyber threat intelligence analyst Michael Forret wrote in the post.
SharpRhino demonstrates the progression of Hunters International, a group linked to Russia. In the first seven months of 2024, the group claimed responsibility for 134 attacks. It has quickly
risen to ascendance
as the 10th most active ransomware group in 2024 thanks to its possession of Hive.
Leveraging the ransomware, the group has positioned itself as a
ransomware-as-a-service (RaaS)
provider that works with less sophisticated actors to do much of its dirty work, allowing it to spread Hive more quickly. Being a RaaS provider is highly likely a main cause for their fast rise to notoriety, Forret wrote.
Like many other
ransomware operators
, Hunters International exfiltrates data from victim organizations prior to encrypting files, then changes file extensions to .locked and leaves a README message guiding recipients to a chat portal on the Tor network for payment instructions.
The encryptor itself exhibits a sophisticated design, coded in Rust, a programming language increasingly favoured by cybercriminals for its security features, efficiency, and resistance to reverse engineering, Forret wrote. This tactic is in line with the evolution observed in the ransomware development, with notable examples including both Hive and BlackCat.
The researchers analyzed a sample of SharpRhino that used a valid certificate signed by the J-Golden Strive Trading Co. Ltd. The file that delivered the malware was a Nullsoft Scriptable Installer System (NSIS)-packed executable, a common file that most compression tools like 7-Zip can understand and read, Forret observed.
The installer system establishes persistence by modifying the
RunUpdateWindowsKey
registry with the shortcut for
Microsoft.AnyKey,
and establishes two directories on the
C:ProgramDataMicrosoft —
called
WindowsUpdater24
and another called
LogUpdateWindows —
to facilitate multiple channels to Hunters Internationals command and control (C2) as a fallback mechanism, Forret noted.
If the folder
WindowsUpdater24
and its contents are discovered by a security engine or professional, there exists the possibility that the persistence mechanism will remain, and the device will remain infected,” he wrote.
Ultimately, SharpRhinos purpose in an attack is to give Hunters International persistence and control over a targeted system to launch a sophisticated ransomware attack for financial gain, which the group does without prioritizing any sector or region but instead by targeting via opportunistic means, Forret wrote.
Qurom Cyber included a list of indicators of compromise for SharpRhino so organizations can identify if network administrators accidentally downloaded the RAT instead of the legitimate tool they believed to be deploying. It also provided Mitre ATT&CK Mapping for the RATs defense and evasion, discovery, privilege escalation, execution, persistence, and C2 processes.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Hunters International Disguises SharpRhino RAT as Legitimate Network Admin Tool