An emerging threat group, known as Hunters International, has recently unveiled a new weapon in their cyber arsenal – a remote access Trojan (RAT) called SharpRhino. This group has quickly risen through the ranks to become a major player in the ransomware landscape, with a specific focus on targeting IT professionals.
According to a recent blog post by researchers at Quorum Cyber, Hunters International began operating last October and has been using the newly developed SharpRhino malware in conjunction with the Hive ransomware to carry out their attacks. The primary goal of SharpRhino is to gain initial access to targeted systems, establish persistence, and enable remote access for the attackers.
One of the unique tactics employed by the group is disguising SharpRhino as the legitimate open-source network administration tool Angry IP Scanner. By using typosquatting domains and valid code-signing certificates, the attackers are able to deceive users into unwittingly installing the malware under the guise of a trusted application. This allows SharpRhino to operate stealthily and evade detection by security measures.
Once SharpRhino is executed on a system, it creates a backdoor for the attackers, granting them remote access and control. This access is then leveraged to launch a ransomware attack using the Hive malware, encrypting files and demanding payment from the victim. Hunters International acquired SharpRhino from its original creators, who were dismantled by law enforcement shortly after its inception.
Quorum Cyber’s threat intelligence analyst, Michael Forret, highlighted the sophistication of SharpRhino in his post, noting that the malware is designed to escalate privileges on the infected device and ensure minimal disruption to the attacker’s operations. This level of sophistication sets SharpRhino apart from other similar tools in the cybercriminal toolkit.
The evolution of Hunters International has been rapid, with the group being linked to Russia and claiming responsibility for 134 attacks in the first seven months of 2024. By offering Hive as a ransomware-as-a-service (RaaS), the group has expanded its reach and efficiency, working with less skilled actors to propagate the malware further and faster. This business model has contributed to the group’s notoriety and rapid rise in the ransomware landscape.
In targeting organizations, Hunters International follows a familiar pattern of exfiltrating data before encrypting files and demanding payment. They utilize the Tor network for communication and payment instructions, showing a reliance on anonymous channels for their criminal activities. The use of Rust, a secure programming language, in the development of their encryptor tool demonstrates a commitment to robust security measures and anti-reverse engineering tactics.
By disguising SharpRhino as a legitimate software package signed with a valid certificate, Hunters International aims to maintain persistence on infected devices and establish multiple communication channels for their command and control operations. This multi-layered approach ensures that even if one channel is compromised, the attackers can maintain control over the infected system and continue their operations.
Quorum Cyber has provided indicators of compromise for SharpRhino to help organizations identify potential infections and mitigate the threat. They have also mapped out SharpRhino’s techniques and procedures using the Mitre ATT&CK framework, aiding security professionals in defending against and responding to these types of attacks.
Overall, the emergence of SharpRhino and the activities of Hunters International paint a picture of a sophisticated and well-organized cybercriminal operation. With a focus on targeting IT professionals and leveraging advanced malware tools, this group represents a significant threat to organizations worldwide. Detection and mitigation efforts must be heightened to prevent further damage and disruption from these malicious actors.