Contents:
The Hunters International ransomware gang targets IT professionals with SharpRhino remote access trojan (RAT). The malware spoofs the installer of Angry IP Scanner, an ethical hacking tool.
Hunters International is a top 10 ransomware group that shares code similarities with the notorious Hive threat gang. They use a Rust-written encryptor to lock the files. Security researchers detected them targeting IT workers, to further compromise the whole network.
More about the SharpRhino RAT
The hackers distribute the SharpRhino malware through a typosquatting site miming Angry IP Scanner’s website.
Angry IP is an IP address scanner that IT teams use for auditing the network. The tool scans the network to find certain open ports on online devices that could be targeted in a cyberattack.
SharpRhino appears as a digitally signed 32-bit installer (ipscan-3.9.1-setup.exe). It includes a self-extracting, password-protected 7z archive which contains the additional files necessary to carry out the infection.
Here’s what the SharpRhino Rat does once it infects the host:
- changes the Windows registry to achieve persistence
- creates a shortcut to Microsoft.AnyKey.exe
- downloads ‘LogUpdate.bat’ to run PowerShell scripts
How to keep safe from SharpRhino malware
Targeting IT professionals and spoofing legitimate security tools is not a new tactic. IT teams are attractive targets for hackers due to their elevated privileges across the system.
If threat actors gain access to an account or device with elevated permissions, they can either move laterally or escalate privileges to take over the whole network.
DNS filtering can prevent malware deployment and malicious communication with command-and-control servers. Whenever the filtering engine detects a malicious domain attempting communication with the network it will automatically block it.
Best DNS security tools use machine learning techniques take security to a higher level. These solutions can predict, based on certain patterns, if a domain is malicious before anybody else reports it as such.
DNS security is one of the most important components of the layered-defense approach as it can neutralize phishing attempts, malware deployment and ransomware attacks by detecting and blocking communication.
To enhance security, I also recommend using network segmentation and a zero-trust policy. In case of a breach, these measures will prevent the infection from spreading to the whole infrastructure.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.