Executive Summary

The Hunters International ransomware group has emerged as a formidable threat, specifically targeting IT professionals with their newly developed malware, SharpRhino. This sophisticated C# remote access trojan (RAT) is designed to infiltrate corporate networks, escalate privileges, execute PowerShell commands, and deploy ransomware payloads. The malware's distribution through typosquatting sites impersonating legitimate networking tools poses a significant risk to IT workers, making it imperative for organizations to understand and mitigate this threat effectively.

Technical Information

SharpRhino is a digitally signed 32-bit installer masquerading as 'ipscan-3.9.1-setup.exe', which contains a self-extracting password-protected 7z archive. Upon execution, the malware modifies the Windows registry to ensure persistence and creates shortcuts to execute its malicious binaries. A key component of its operation is the 'LogUpdate.bat' file, which executes PowerShell scripts to compile C# code directly into memory, allowing for stealthy execution without leaving traces on the disk.

The malware's command and control (C2) infrastructure is sophisticated, utilizing directories such as 'C:\ProgramData\Microsoft: WindowsUpdater24' and 'LogUpdateWindows' for C2 communication. Hardcoded commands within the malware include 'delay', which sets timers for POST requests, and 'exit', which terminates communication. These features highlight the advanced nature of SharpRhino and its potential to cause significant disruption within targeted networks.

Exploitation in the Wild

Since its emergence in late 2023, SharpRhino has been actively exploited by the Hunters International group. Notable victims include Austal USA, Hoya, Integris Health, and Fred Hutch Cancer Center. In 2024, the group claimed responsibility for 134 ransomware attacks, positioning themselves as the tenth most active ransomware group globally. The malware's ability to target IT professionals through deceptive distribution methods underscores the need for heightened vigilance and robust security measures.

APT Groups using this vulnerability

The Hunters International group is the primary actor behind the deployment of SharpRhino. Their focus on IT professionals and use of typosquatting techniques to distribute the malware indicates a strategic approach to targeting individuals with elevated network privileges. This tactic not only increases the likelihood of successful infiltration but also amplifies the potential impact of their attacks.

Affected Product Versions

SharpRhino primarily targets IT professionals using networking tools such as Angry IP Scanner and Advanced IP Scanner. The malware's distribution through typosquatting sites impersonating these legitimate tools highlights the importance of verifying software sources and ensuring that only trusted versions are installed within corporate environments.

Workaround and Mitigation

To mitigate the threat posed by SharpRhino, organizations should implement several key strategies. First, avoid malvertising by being cautious of sponsored search results and employing ad blockers to reduce exposure to malicious advertisements. Second, establish robust backup plans to ensure data recovery in the event of a ransomware attack. Third, implement network segmentation to limit lateral movement within the network, thereby containing potential breaches. Finally, ensure that all software is up to date to reduce opportunities for privilege escalation and other exploits.

References

For further information and detailed analysis of SharpRhino, please refer to the following resources: Bleeping Computer Article, Quorum Cyber Analysis, and eSentire Research.

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to provide comprehensive insights and proactive measures to safeguard your organization against emerging threats like SharpRhino. Should you have any questions about this report or require further assistance, please do not hesitate to contact us at ops@rescana.com.