SharpRhino RAT: Hunters International's Latest Weapon in Cyber Attacks

Introduction

In a notable development in the cybersecurity landscape, the emerging threat group known as Hunters International has added a novel remote access Trojan (RAT) to its arsenal. This group, which has quickly ascended the ranks of ransomware operators, is using the RAT, dubbed SharpRhino, to target IT professionals. Disguised as a legitimate network administration tool, SharpRhino facilitates initial access and persistence on targeted networks, setting the stage for ransomware attacks.

Details of the SharpRhino RAT

Researchers from Quorum Cyber have identified that Hunters International, active since October of the previous year, is now utilizing SharpRhino to deploy Hive ransomware. The RAT is masked as Angry IP Scanner, a legitimate open-source network-administration tool, by leveraging typosquatting domains. This clever disguise exploits valid code-signing certificates, making it appear as if a network administrator is downloading a legitimate tool, while in reality, they are installing malware.

Upon execution, SharpRhino establishes persistence on the device and grants remote access to the attackers. This access allows them to launch typical ransomware attacks using Hive ransomware. The malware, acquired from its original creators who were disbanded by international law enforcement, employs previously unseen techniques to gain high-level permissions on the device, ensuring minimal disruption to the attacker's activities.

Evolution of Hunters International

The rapid rise of Hunters International, linked to Russia, is exemplified by its deployment of SharpRhino. In the first seven months of 2024, the group has been responsible for 134 attacks, positioning itself as the 10th most active ransomware group of the year. Their swift ascent is largely due to their operation as a ransomware-as-a-service (RaaS) provider, collaborating with less sophisticated actors to disseminate Hive ransomware more efficiently.

As part of their modus operandi, Hunters International exfiltrates data before encrypting files, changes file extensions to .locked, and leaves a README message directing victims to a chat portal on the Tor network for payment instructions. The encryptor is sophisticated, coded in Rust, a language favored by cybercriminals for its security features and resistance to reverse engineering.

Disguised as Legitimate Software

The analysis of SharpRhino revealed that it uses a valid certificate signed by J-Golden Strive Trading Co. Ltd. The malware is delivered via a Nullsoft Scriptable Installer System (NSIS)-packed executable, a format recognizable by common compression tools like 7-Zip. SharpRhino establishes persistence by modifying the registry with a shortcut for Microsoft.AnyKey and creating directories under C:\ProgramData\Microsoft. These directories, WindowsUpdater24 and LogUpdateWindows, provide multiple channels to Hunters International's command and control (C2), ensuring continued access even if one method is discovered and mitigated.

Conclusion

The deployment of SharpRhino by Hunters International highlights the increasing sophistication and cunning of cyber threat actors. By disguising malware as legitimate network administration tools, they effectively target IT professionals, gaining initial access and persistence on critical systems. Organizations must remain vigilant, employing comprehensive cybersecurity measures such as stolen credentials detection, darknet monitoring services, dark web surveillance, and compromised data tracking to defend against such threats.

Understanding the tactics and tools used by groups like Hunters International is crucial for developing effective defenses and protecting digital assets from ransomware and other cyber threats. Quorum Cyber’s indicators of compromise and Mitre ATT&CK mapping for SharpRhino provide valuable resources for organizations to identify and mitigate this emerging threat.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.