Analysis Summary

An innovative SharpRhino remote access trojan (RAT) has given an up-and-coming threat group, which has quickly ascended to the top of the ransomware food chain, a new weapon in its toolbox. The malware is being used by the gang in attacks that seem to be directed at IT specialists.

Researchers disclosed that Hunters International—which has been operational since October of last year—is utilizing the Hive ransomware. Having first gained access to the targeted infrastructure, the gang utilizes the new malware, called SharpRhino, to establish persistence and enable attackers to continue having remote access to the device.

By typosquatting domains, SharpRhino breaches systems under the pretext of the open-source network administration utility Angry IP Scanner. According to the report, attackers can abuse and misuse valid code-signing certificates to make it appear as though a network administrator is downloading software with a valid certificate but is installing malware because Angry IP Scanner is open source. After SharpRhino is executed, it creates persistence and grants the attackers remote access to the device, which they can use to utilize the Hive ransomware to initiate a standard ransomware attack. Hunters International purchased the software from its original creators, an organization that dissolved shortly after it was discovered by global law enforcement.

The malware can gain a high degree of access on the device using never-before-seen methods, ensuring that the attacker can continue their targeting with the least amount of interference. SharpRhino shows the development of Hunters International, a Russian-affiliated organization. 134 incidents were attributed to the group in the first seven months of 2024. Because it owns Hive, it has climbed fast to become the 10th most active ransomware gang in 2024.

By using the ransomware, the organization has positioned itself to spread Hive faster by acting as a ransomware-as-a-service (RaaS) provider, contracting out most of the dirty work to less experienced criminals. Their quick ascent to prominence is probably mostly due to their status as a RaaS supplier. Before encrypting files, Hunters International, like many other ransomware operators, exfiltrates data from target organizations. It then modifies file extensions to .locked and leaves a README note directing recipients to a chat room on the Tor network for payment instructions.

The encryptor itself has an intricate design and is written in Rust, a programming language that is becoming more and more popular among threat actors due to its efficiency, security features, and resistance to reverse engineering. This strategy is consistent with the progression of ransomware, of which Hive and BlackCat are two prominent instances.

A SharpRhino sample that was used with a legitimate certificate that was signed by J-Golden Strive Trading Co. Ltd. was examined by the researchers. The malware was transmitted by a Nullsoft Scriptable Installer System (NSIS)-packed executable, a typical file that can be read and understood by the majority of compression programs, including 7-Zip. The installer system creates two directories on C:\ProgramData\Microsoft, one named WindowsUpdater24 and the other named LogUpdateWindows, to enable multiple channels to Hunters International's command-and-control (C2) as a fallback mechanism. It also establishes persistence by modifying the Run\UpdateWindowsKey registry with the shortcut for Microsoft.AnyKey.

If a security expert finds the folder WindowsUpdater24 and its contents, there's a chance the persistence mechanism won't go away and the device will stay infected. SharpRhino's ultimate goal in an attack is to grant Hunters International the ability to persist and take control of a targeted system to launch a sophisticated ransomware attack for financial gain. The group targets via opportunistic means, without giving any particular sector or region priority.

Impact

• Unauthorized Remote Access
• Financial Loss
• Sensitive Data Theft
• File Encryption

Indicators of Compromise

Domain Name

• angryipo.org
• angryipsca.com

MD5

• 0995262c8adde90ec6d9e039b3d7293d
• 4bba5b7d3713e8b9d73ff1955211e971

SHA-256

• 223aa5d93a00b41bf92935b00cb94bb2970c681fc44c9c75f245a236d617d9bb
• 09b5e780227caa97a042be17450ead0242fd7f58f513158e26678c811d67e264

SHA1

• 089ff4aee406f894c0ce2166d253c141a4c8fa32
• 9473104a1aefb0daabe41a92d75705be7e2daaf3

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.