Heimdal
article featured image

Contents:

The Hunters International ransomware gang targets IT professionals with SharpRhino remote access trojan (RAT). The malware spoofs the installer of Angry IP Scanner, an ethical hacking tool.

Hunters International is a top 10 ransomware group that shares code similarities with the notorious Hive threat gang. They use a Rust-written encryptor to lock the files. Security researchers detected them targeting IT workers, to further compromise the whole network.

More about the SharpRhino RAT

The hackers distribute the SharpRhino malware through a typosquatting site miming Angry IP Scanner’s website.

Angry IP is an IP address scanner that IT teams use for auditing the network. The tool scans the network to find certain open ports on online devices that could be targeted in a cyberattack.

SharpRhino appears as a digitally signed 32-bit installer (ipscan-3.9.1-setup.exe). It includes a self-extracting, password-protected 7z archive which contains the additional files necessary to carry out the infection.

Here’s what the SharpRhino Rat does once it infects the host:

  • changes the Windows registry to achieve persistence
  • creates a shortcut to Microsoft.AnyKey.exe
  • downloads ‘LogUpdate.bat’ to run PowerShell scripts

How to keep safe from SharpRhino malware

Targeting IT professionals and spoofing legitimate security tools is not a new tactic. IT teams are attractive targets for hackers due to their elevated privileges across the system.

If threat actors gain access to an account or device with elevated permissions, they can either move laterally or escalate privileges to take over the whole network.

DNS filtering can prevent malware deployment and malicious communication with command-and-control servers. Whenever the filtering engine detects a malicious domain attempting communication with the network it will automatically block it.

Best DNS security tools use machine learning techniques take security to a higher level. These solutions can predict, based on certain patterns, if a domain is malicious before anybody else reports it as such.

DNS security is one of the most important components of the layered-defense approach as it can neutralize phishing attempts, malware deployment and ransomware attacks by detecting and blocking communication.

To enhance security, I also recommend using network segmentation and a zero-trust policy. In case of a breach, these measures will prevent the infection from spreading to the whole infrastructure.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE