IT professionals are the target of a ransomware group using new SharpRhino software.

The Hunters International ransomware organization is targeting IT workers with SharpRhino, a new C# remote access trojan (RAT) designed to enter business networks.

The malware assists Hunters International in gaining initial infection, elevating their privileges on compromised systems, running PowerShell operations, and eventually deploying the ransomware payload.

Quorum Cyber researchers who found the new malware report that it is being distributed by a typosquatting site imitating the website for Angry IP Scanner, a legitimate networking utility used by IT experts.

Hunters International is a ransomware operation that began in late 2023 and has been identified as a probable rebranding of Hive owing to code similarities.

Notable victims include US Navy contractor Austal USA, Japanese optical major Hoya, Integris Health, and the Fred Hutch Cancer Center, where the cybercriminals revealed their disregard for moral limits.

So far in 2024, the threat group has announced 134 ransomware assaults against various businesses globally (excluding CIS), placing it ninth among the most active gangs in the field.

SharpRhino RAT

SharpRhino spreads via a digitally signed 32-bit installer ('ipscan-3.9.1-setup.exe') that includes a self-extracting password-protected 7z package containing further files for the infection.

The installer updates the Windows registry to enable persistence and creates a shortcut to Microsoft.AnyKey.exe, which is generally a Microsoft Visual Studio binary, is being misused in this situation.

Furthermore, the installer includes 'LogUpdate.bat', which runs PowerShell scripts on the device to compile C# into memory for stealth malware execution.

The installer generates two directories, 'C:\ProgramData\Microsoft: WindowsUpdater24' and 'LogUpdateWindows,' to provide redundancy in the command and control (C2) exchange.

The malware includes two hardcoded commands: 'delay,' which sets the timer for the next POST request to retrieve a command, and 'exit,' which terminates communication.

Analysis reveals that the virus may run PowerShell on the host, which can be used to carry out a variety of harmful tasks.

Quorum tested this approach by successfully launching the Windows calculator using SharpRhino.

Hunters International's new strategy of distributing websites that spoof reputable open-source network scanning tools suggests that they are targeting IT workers with the goal of compromising accounts with enhanced privileges.

To avoid malvertising, users should be wary of sponsored search results, use ad blockers to completely obscure these results, and bookmark official project sites renowned for providing safe installers.

To mitigate the effects of ransomware attacks, create a backup plan, segment the network, and keep all software up to date to reduce potential for privilege escalation and lateral movement.

Source: Bleeping Computer

#Hunters International #Malware #Ransomware #SharpRhino #TypoSquatting