Hunters International has deployed a novel C# malware dubbed SharpRhino as an initial infection vector and persistent Remote Access Trojan (RAT).
Delivered through a typosquatting domain that looks like an Angry IP Scanner, SharpRhino uses techniques that have never been seen before to increase privileges, let the group move laterally without any problems, and then deploy ransomware. This shows how their strategies are changing and how complex RaaS operations are becoming.
Hunters International, a rapidly escalating RaaS group, emerged in October 2023 and quickly became a top-ten ransomware actor.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access
Strongly linked to the defunct Hive group due to code similarities, they employ a sophisticated Rust-based encryptor to lock victim files with the .locked extension after initial data exfiltration.
Their business model, combined with advanced technical capabilities, has driven their prolific attack campaign, targeting numerous organizations across various sectors.
It targets organizations globally without sector preference, while the malware sample, a 32-bit self-extracting executable disguised as a legitimate network tool, utilizes a valid code certificate for obfuscation.
The malware’s hashes are 4bba5b7d3713e8b9d73ff1955211e971, 9473104a1aefb0daabe41a92d75705be7e2daf3, and 09b5e780227caa97a042be17450ead0242fd7f58f513158e26678c811d67e264, signed by J-Golden Strive
.webp)
SharpRhino, disguised as the AngryIP installer, is an NSIS-packed executable containing an additional binary and a password-protected 7z archive.
Analysts detonated the malware to bypass the archive password, capturing command-line arguments and revealing the password, allowing them to extract the archive’s contents for further investigation.
The NSIS installer modifies the RunUpdateWindowsKey registry to achieve persistence by launching Microsoft.AnyKey.exe, a LOLBIN from Microsoft Visual Studio 2019 Node JS tools that the attacker deployed.
.webp)
This LOLBIN executes LogUpdate.bat, a bat file referencing a further obfuscated PowerShell script. The installer creates two directories, WindowsUpdater24 and LogUpdateWindows, containing files for C2 communication.
Analysis of the .t file by Quorum Cyber revealed it to be a PowerShell script employing fileless malware tactics. It decodes embedded C# source code, compiles it into memory, and executes it.
Initial investigation indicates the malware communicates with a Cloudflare Serverless Architecture endpoint, likely the attacker’s command-and-control infrastructure.
To confirm this, the .t file was modified to extract the embedded C# source code and convert it into a file for further analysis.
.webp)
Analysis of SharpRhino malware revealed a highly obfuscated C# payload utilizing encryption to conceal communication data.
Investigators figured out SharpRhino’s main functions by sending network traffic to a controlled environment and deobfuscating important code pieces, including encrypted communication with a C2 server, PowerShell command execution, and a basic delay mechanism.
Successful emulation of C2 commands, including the execution of ‘calc.exe’, confirmed full control over the infected system, highlighting the malware’s potential for extensive damage if leveraged by malicious actors.
The SharpRhino RAT trojan uses the following Indicators of Compromise (IOCs) for detection, including LogUpdate.bat, Wiaphoh7um.t, ipscan-3.9.1-setup.exe, kautix2aeX.t, and WindowsUpdate.bat. These files have corresponding SHA-256 hashes for identification.
The RAT also communicates with command and control servers located at cdn-server-1.xiren77418.workers.dev, cdn-server-2.wesoc40288.workers.dev, Angryipo.org, and Angryipsca.com.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide