SharpRhino malware targets IT admins – Hunters International gang suspected

The latest malware from upstart criminal gang Hunters International appears to be targeting network admins, using malicious code disguised as the popular networking tool Angry IP Scanner.

The software nasty, dubbed SharpRhino on account of its use of C#, is hidden in a fake version of the scanning tool posted to typo-squatted websites – which to the casual eye look legit but have slightly misspelled URLs to trick victims into running the code.

The malware was discovered by Scottish security shop Quorum Cyber and appears to have been around since mid-June.

The trojan’s executable is named "ipscan-3.9.1-setup.exe" and consists of a 32-bit Nullsoft installer containing a password-protected 7z archive. The malware seekers at Quorum Cyber identified the password to the archive, and once inside found an application named Microsoft.AnyKey.exe.

When run, SharpRhino alters the Run\UpdateWindowsKey registry to direct to the Microsoft.AnyKey.exe file, which was adapted from a Microsoft Visual Studio 2019 Node JS tool. It also sets up to chat with two command and control systems: The first houses the initial payload and comms channels back to the operator, while the other is used to dig into the target's machine and establish persistence.

Once its malware is firmly embedded in the system, Hunters International can use its remote access to spread out across the network and from there deploy more malware and info-stealing code. SharpRhino uses a Rust-based encryptor to bork files as .locked – apart from a single README file called Contact Us.txt, which directs the victim to a ransomware payment page on the Tor network.

New kids on the block or same old scumbags?

Based on the code, the tactics it uses, and the vector of attack, Quorum Cyber’s analysts strongly suspects this malware is the work of Hunters International – a ransomware-as-a-service gang that was first spotted in October of last year.

Since then the gang has risen to the top ten most detected ransomware mobs. Its speedy rise – and its use of the Hive ransomware in the early days – lead many to suspect that the Hunters are simply the Hive crew rebranded. This particular batch of ransomware shares about 60 percent of its code with Hive's original malware.

The crew is also fond of the double extortion attack. First data is copied and stolen – a process that can take weeks to help crims avoid detection – before corporate servers are encrypted. If the victim doesn't pay for the decryption key, crims turn to threats the information will be made public if payment isn’t forthcoming. Blackmail tactics of that sort have also been employed by Hive.

Hunters isn't known to be a triple extortionist, yet – so hasn't been recorded trying to extort money from a target's customers using the purloined data.

• Hunters International leaks pre-op plastic surgery pics in negotiation no-no
• New kids on the ransomware block in 2023: Akira and 8Base lead dozens of newbies
• Ransomware crews investing in custom data stealing malware
• BlackCat plays with malvertising traps to lure corporate victims

"So far, Hunters International has claimed responsibility for 134 attacks in the first seven months of 2024," wrote Quorum Cyber threat intelligence analyst Michael Forret.

"The group has positioned itself as a Ransomware-as-a-Service (RaaS) provider, thereby enabling other potentially less sophisticated threat actors with tooling to conduct additional attacks. Being a RaaS provider is highly likely a main cause for their fast rise to notoriety."

Tellingly, but not unusually in the ransomware game, Hunters International has claimed responsibility for attacks around the world – except for Russia. Ransomware operators operate on the presumption that if they don't go after Russian targets then that country's authorities will leave them alone, or even rescue them from foreign custody. ®