Friend
Professional
- Messages
- 2,670
- Reaction score
- 885
- Points
- 113
Hunters International does not spare even medical institutions.
The ransomware group Hunters International has started using a new remote access Trojan (RAT) in the C# language called SharpRhino to infiltrate corporate networks. This malicious software helps hackers achieve an initial infection, increase privileges on infected systems, execute certain PowerShell commands, and eventually deploy ransomware.
Quorum Cyber researchers who discovered the new Trojan report that it is distributed through a Google Ads-sponsored lookalike site that mimics Angry IP Scanner — a legitimate network scanning tool used by IT professionals.
The ransomware group Hunters International was launched at the end of 2023 and is suspected of rebirth (rebranding) from the Hive group due to the similarity of the code. Among the known victims of the group are the US Navy contractor Austal USA, the Japanese optical company Hoya, Integris Health and the Fred Hutch Cancer Center. Even medical facilities are absolutely acceptable targets for Hunters International.
Since the beginning of this year, the group has announced 134 ransomware attacks against various organizations around the world, which puts it in tenth place among the most active groups in this area.
The SharpRhino malware is distributed as a signed 32-bit installer ("ipscan-3.9.1-setup.exe"), which contains a self-extracting 7z archive with additional files for performing infection. A potential victim downloads and runs this malware, assuming that it is a legitimate installer. However, EXEInfo showed signs that the installer was an executable file packaged in NSIS (Nullsoft Scriptable Installer System).
When running, the malicious installer modifies the Windows registry to ensure persistence and creates a shortcut to "Microsoft.AnyKey.exe", which is usually a Microsoft Visual Studio binary file, but in this case is used by attackers. In addition, the installer creates a "LogUpdate.bat", which executes PowerShell scripts on the device to hide malware.
To ensure reliable operation, the installer creates two directories at once:
The malware contains two hard-coded commands: "delay" — to set a timer for the next POST request to receive the command, and "exit" — to stop communication.
The analysis shows that malware can execute PowerShell commands on an infected device, which allows you to perform various dangerous actions. Quorum Cyber experts tested this mechanism by successfully running the Windows calculator via SharpRhino.
Hunters International's new tactics, which include creating websites that mimic legitimate network tools, indicate that they are targeting IT professionals in order to hack into accounts with elevated privileges.
To avoid accidentally downloading malware, users are advised to be careful with sponsored search results, activate ad blockers, and bookmark the official sites of frequently used projects so that they can only download secure installers.
To reduce the impact of attacks, it is recommended to create backup plans, segment the network, and keep all software up-to-date in order to minimize the potential for hackers to increase privileges and move laterally.
Source
The ransomware group Hunters International has started using a new remote access Trojan (RAT) in the C# language called SharpRhino to infiltrate corporate networks. This malicious software helps hackers achieve an initial infection, increase privileges on infected systems, execute certain PowerShell commands, and eventually deploy ransomware.
Quorum Cyber researchers who discovered the new Trojan report that it is distributed through a Google Ads-sponsored lookalike site that mimics Angry IP Scanner — a legitimate network scanning tool used by IT professionals.
The ransomware group Hunters International was launched at the end of 2023 and is suspected of rebirth (rebranding) from the Hive group due to the similarity of the code. Among the known victims of the group are the US Navy contractor Austal USA, the Japanese optical company Hoya, Integris Health and the Fred Hutch Cancer Center. Even medical facilities are absolutely acceptable targets for Hunters International.
Since the beginning of this year, the group has announced 134 ransomware attacks against various organizations around the world, which puts it in tenth place among the most active groups in this area.
The SharpRhino malware is distributed as a signed 32-bit installer ("ipscan-3.9.1-setup.exe"), which contains a self-extracting 7z archive with additional files for performing infection. A potential victim downloads and runs this malware, assuming that it is a legitimate installer. However, EXEInfo showed signs that the installer was an executable file packaged in NSIS (Nullsoft Scriptable Installer System).
When running, the malicious installer modifies the Windows registry to ensure persistence and creates a shortcut to "Microsoft.AnyKey.exe", which is usually a Microsoft Visual Studio binary file, but in this case is used by attackers. In addition, the installer creates a "LogUpdate.bat", which executes PowerShell scripts on the device to hide malware.
To ensure reliable operation, the installer creates two directories at once:
- C:\ProgramData\Microsoft\WindowsUpdater24 -contains files that must be executed when you first run the NSIS installer;
- C:\ProgramData\Microsoft\LogUpdateWindows -contains files necessary for establishing persistence.
The malware contains two hard-coded commands: "delay" — to set a timer for the next POST request to receive the command, and "exit" — to stop communication.
The analysis shows that malware can execute PowerShell commands on an infected device, which allows you to perform various dangerous actions. Quorum Cyber experts tested this mechanism by successfully running the Windows calculator via SharpRhino.
Hunters International's new tactics, which include creating websites that mimic legitimate network tools, indicate that they are targeting IT professionals in order to hack into accounts with elevated privileges.
To avoid accidentally downloading malware, users are advised to be careful with sponsored search results, activate ad blockers, and bookmark the official sites of frequently used projects so that they can only download secure installers.
To reduce the impact of attacks, it is recommended to create backup plans, segment the network, and keep all software up-to-date in order to minimize the potential for hackers to increase privileges and move laterally.
Source
