Ransomware gang targets IT workers with new RAT masquerading as IP scanner

Ransomware-as-a-service outfit Hunters International is wielding a new remote access trojan (RAT). “The malware, named SharpRhino due to its use of the C# programming language, is delivered through a typosquatting domain impersonating the legitimate tool Angry IP Scanner,” Quorum Cyber researchers discovered.

Angry IP Scanner is an IP address and port scanner, and as such is more likely to be downloaded and used by IT workers. Such specific targeting might be an attempt to compromise systems and accounts that have higher privileges and access to most nooks and crannies of enterprise networks, so that the threat actor may swifly do much damage.

How the targets end up on the typosquatted domain is unknown, but malvertising seems like the most likely theory.

Earlier this year, a malvertising campaign similarly targeted IT pros via Google ads for system utilities, and delivered the Nitrogen malware.

The SharpRhino RAT

The name of the malicious file containing the RAT – ipscan-3.9.1-setup.exe – makes it look like a legitimate installer for the software it strives to impersonate (colloquially called ipscan).

Ransomware targets IT workers

The contents of the malicious installer (Source: Quorum Cyber)

The file is a NSIS installer, which modifies a Windows registry for persistence and creates a shortcut to Microsoft.AnyKey.exe, which then executes the LogUpdate.bat file.

That file contains a PowerShell script that compiles C# code and loads the compiled binary into memory and functions within it are ready to be called.

The malware also establishes two directories with identical files, enabling attackers to send commands to the RAT even if one of the directories is found and deleted.

About Hunters International

“So far, Hunters International has claimed responsibility for 134 attacks in the first seven months of 2024. Typical of ransomware operators, Hunters International exfiltrates data from victim organisations prior to encrypting files, changing file extensions to .locked, and leaving a README message guiding recipients to a chat portal on the TOR network for payment instructions,” the researchers noted.

Its targets are mostly organizations located in the Americas, Europe and Australia. The group avoids organizations based within the Russian influenced Commonwealth of Independent States (CIS), which points to the group having affiliate ties to Russia.

OPIS OPIS

OPIS

Don't miss