New SharpRhino Malware Being Used By Ransomware Gangs to Attack IT Workers
The Hunters International ransomware group, believed to be a rebranding of the Hive ransomware group due to code similarities, is targeting IT workers with their new malware, SharpRhino. This C# remote access trojan (RAT) enables attackers to infiltrate systems, escalate privileges, execute PowerShell commands, and ultimately deploy ransomware payloads. SharpRhino is distributed via a typo-squatting site that impersonates the legitimate Angry IP Scanner website, a tool frequently used by IT professionals (BleepingComputer) (Cyber Security News) (Help Net Security).
If you need immediate assistance, call our 24-hour number at 1-877-662-6624 to reach a live engineer. He will get the process started for you or e-mail restore@alvaka.net.
Technical Details
SharpRhino is delivered as a digitally signed 32-bit installer (ipscan-3.9.1-setup.exe), containing a self-extracting password-protected 7z archive with files necessary for infection. Once executed, the malware performs several actions to establish persistence and control over the infected system:
- Registry Modification: It modifies the Windows registry to ensure persistence by launching Microsoft.AnyKey.exe, a legitimate Microsoft Visual Studio binary repurposed for malicious use (Cyber Security News) (Help Net Security).
- PowerShell Execution: The malware drops LogUpdate.bat, which executes PowerShell scripts that compile C# code into memory, facilitating stealthy execution without leaving traces on disk (BleepingComputer) (Cyber Security News).
- Command and Control (C2): SharpRhino creates two directories (C:\ProgramData\Microsoft: WindowsUpdater24 and LogUpdateWindows) for C2 communication. The malware contains hardcoded commands such as delay, which sets the timer for the next POST request, and exit, which terminates communication (BleepingComputer) (Cyber Security News).
Impact
Hunters International has already targeted several high-profile organizations, including Austal USA, Hoya, Integris Health, and the Fred Hutch Cancer Center. These attacks demonstrate the group’s focus on critical sectors and organizations with high ethical standards. In 2024 alone, they have claimed responsibility for 134 ransomware attacks globally, excluding the Commonwealth of Independent States (CIS), making them the tenth most active ransomware group (BleepingComputer) (Help Net Security).
Mitigation Strategies
To mitigate the risk posed by SharpRhino and similar ransomware attacks, organizations should consider the following proactive measures:
- Awareness and Education: Train employees, especially IT staff, to recognize phishing attempts and the risks of downloading software from unofficial sources. Encourage the use of ad blockers to reduce exposure to malicious ads (Cyber Security News) (Help Net Security).
- Secure Backups: Implement a robust backup strategy, ensuring backups are stored offline or in a secure cloud environment to prevent them from being encrypted during an attack (BleepingComputer).
- Network Segmentation: Segment the network to limit the spread of malware within the organization and protect critical systems from lateral movement (Cyber Security News).
- Regular Updates and Patches: Keep all software up to date with the latest security patches to minimize vulnerabilities that could be exploited by attackers (BleepingComputer) (Help Net Security).
- Security Monitoring: Utilize advanced threat detection tools to monitor network traffic and detect anomalous activities indicative of a malware infection (Cyber Security News) (Help Net Security).
By implementing these strategies, organizations can strengthen their defenses against sophisticated ransomware threats like SharpRhino and minimize potential damage.
For further details on the technical aspects and mitigation strategies for SharpRhino, refer to sources such as BleepingComputer and Help Net Security.
If you need immediate assistance, call our 24-hour number at 1-877-662-6624 to reach a live engineer. He will get the process started for you or e-mail restore@alvaka.net.