In late 2023, the ransomware group Hunters International emerged on the cyber threat landscape, drawing attention due to their sophisticated tactics and tools. Recently, researchers at Quorum Cyber reported the group’s use of a new C#-based remote access trojan (RAT) named SharpRhino, designed to infiltrate corporate networks. This advanced malware serves multiple functions, including initial infection, privilege elevation on compromised systems, execution of targeted PowerShell commands, and ultimately facilitating ransomware deployment.
SharpRhino is notable for its distribution method, which involves a sponsored Google Ads site masquerading as the legitimate Angry IP Scanner, a network scanning tool often trusted by IT professionals. This strategic misdirection has allowed the malware to gain traction, leading to numerous infections.
The group behind SharpRhino, suspected of being a rebranding of the notorious Hive group due to code similarities, has made a significant impact in the ransomware domain, claiming responsibility for 134 attacks since the beginning of the year. Some of their high-profile victims include the US Navy contractor Austal USA, Japanese optics company Hoya, Integris Health, and the Fred Hutch Cancer Center, demonstrating that no sector is immune to their threats.
The malicious SharpRhino operates using a signed 32-bit installer, “ipscan-3.9.1-setup.exe,” which houses a self-extracting 7z archive containing infectious payloads. Unbeknownst to potential victims, running this installer sets off a chain reaction: it modifies the Windows registry for persistence, creates shortcuts to disguised executables, and generates “LogUpdate.bat” files that execute covert PowerShell scripts.
Researchers have identified critical functionalities of SharpRhino, highlighting two hardcoded commands—”delay” and “exit”—that facilitate communication with command-and-control servers. The malware’s ability to execute PowerShell commands on infected machines enables a range of malicious activities and further compromises the security of targeted networks.
Hunters International’s approach underscores a concerning trend in cyber threat tactics, particularly their targeting of IT professionals to gain elevated access within organizations. To defend against potential infections like SharpRhino, users are urged to scrutinize sponsored search results, utilize ad blockers, and consistently rely on trusted download sources for software.
As the cybersecurity landscape evolves, it becomes increasingly vital to implement robust backup strategies, segment networks, and maintain up-to-date software to thwart the capabilities of threat actors in exploiting vulnerabilities for lateral movement and privilege escalation.