Targeting IT Workers to Achieve Initial Infection and Privilege Escalation
The ransomware gang known as Hunters International is increasingly targeting IT professionals with a new remote access trojan (RAT) called SharpRhino in order to breach corporate networks according to researchers from Quorum Cyber. By targeting IT workers, the threat group aims to achieve initial infection on systems as well as elevate privileges which helps them deploy the ransomware payload.
SharpRhino spreads via a typosquatted website impersonating the legitimate networking tool “Angry IP Scanner” which is often used by IT professionals. The website serves a signed 32-bit installer with a self-extracting archived file containing additional files to perform the infection. Upon execution, the installer modifies the Windows registry for persistence and creates a shortcut to abuse the Microsoft Visual Studio binary “Microsoft.AnyKey.exe”. Two directories are created on the system for command and control (C2) communication with the threat actors.
SharpRhino Malware: PowerShell Abuse and Command Execution
The SharpRhino malware drops batch files that execute PowerShell scripts to compile the embedded C# payload into memory, allowing stealthy execution. Researchers successfully demonstrated PowerShell execution on the host system by launching the Windows calculator program through SharpRhino. With privileged access, the ransomware operators can perform escalated actions on the compromised networks such as lateral movement and data encryption. The hardcoded commands “delay” and “exit” control timing of POST requests and termination of C2 respectively.
Hunters International Ransomware Operations
The ransomware gang Hunters International first emerged in late 2023 and is considered a possible rebrand of the Hive ransomware operators due to code similarities. In 2024 so far, they have conducted approximately 134 ransomware attacks worldwide according to their announcements, ranking as the 10th most active group. Notable victims of Hunters International include US Navy contractor Austal USA, Japanese optics company Hoya, healthcare providers Integris Health and Fred Hutch Cancer Center.
Mitigations Against Ransomware Attacks
To mitigate ransomware risks, organizations should establish backup solutions, implement network segmentation practices, and keep all software up to date. Users should be wary of typosquatting websites, refrain from downloading executables from untrusted sources, and use ad blockers to avoid malvertising. Staying alert to social initial access and escalate privileges on corporate networks. engineering tactics targeting IT workers can help reduce opportunities for ransomware criminals to achieve