Search This Blog

Powered by Blogger.

Blog Archive

Labels

New Ransomware Threat: Hunters International Deploys SharpRhino RAT

Hunters International’s SharpRhino RAT targets IT workers via a fake Angry IP Scanner site, aiming to breach corporate networks and deploy ransomware.

 

In a troubling development for cybersecurity professionals, the Hunters International ransomware group has introduced a sophisticated new remote access trojan (RAT) called SharpRhino. This C#-based malware is specifically designed to target IT workers and breach corporate networks through a multi-stage attack process. The malware’s primary functions include achieving initial infection, elevating privileges on compromised systems, executing PowerShell commands, and ultimately deploying a ransomware payload. 

Recent findings from Quorum Cyber researchers reveal that SharpRhino is distributed via a malicious site masquerading as Angry IP Scanner, a legitimate networking tool widely used by IT professionals. The deceptive website uses typosquatting techniques to lure unsuspecting users into downloading the malware. This approach highlights a new tactic by Hunters International, aiming to exploit the trust IT workers place in well-known tools. The SharpRhino RAT operates through a digitally signed 32-bit installer named ‘ipscan-3.9.1-setup.exe.’ 

This installer contains a self-extracting, password-protected 7z archive filled with additional files necessary for the malware’s execution. Upon installation, SharpRhino modifies the Windows registry to ensure persistence on the compromised system and creates a shortcut to Microsoft.AnyKey.exe, which is normally a Microsoft Visual Studio binary but is abused here for malicious purposes. Additionally, the installer drops a file named ‘LogUpdate.bat,’ which executes PowerShell scripts to run the malware stealthily. To facilitate command and control (C2) operations, SharpRhino creates two directories: ‘C:\ProgramData\Microsoft: WindowsUpdater24’ and ‘LogUpdateWindows.’ 

These directories are used to manage communication between the malware and its operators. SharpRhino also includes hardcoded commands such as ‘delay’ to set the timer for the next POST request and ‘exit’ to terminate communication. This enables the malware to execute various dangerous actions, including launching PowerShell commands. For instance, Quorum Cyber researchers demonstrated the malware’s capability by launching the Windows calculator. Hunters International, which began operations in late 2023, has been associated with several high-profile ransomware attacks. Notable victims include U.S. Navy contractor Austal USA, Japanese optics giant Hoya, Integris Health, and the Fred Hutch Cancer Center. 

In 2024 alone, the group has claimed responsibility for 134 ransomware attacks, ranking it among the top ten most active ransomware operators globally. The deployment of SharpRhino through a fake website underscores Hunters International’s strategic focus on IT professionals, leveraging their reliance on familiar software to infiltrate corporate networks. To protect against such threats, users should exercise caution with search results and sponsored links, use ad blockers, and verify the authenticity of download sources. Implementing robust backup plans, network segmentation, and keeping software up-to-date are essential measures to mitigate the risk of ransomware attacks.
Share it:

Cyber Attacks

IT Sector

Malware Attack

Ransomware attack

Ransomware Threat

Remote Access Trojan

Trojan