August 6, 2024 at 12:41PM
Hunters International, an emerging ransomware group, has been rapidly advancing with a new remote access Trojan called SharpRhino, deploying Hive ransomware to attack IT professionals. The group leverages typosquatting domains and valid code-signing certificates to install the malware. SharpRhino’s purpose is to ensure persistence and control over targeted systems for launching ransomware attacks.
The meeting notes describe an emerging threat group called Hunters International, which has developed a new remote access Trojan (RAT) called SharpRhino and is using it in ransomware attacks targeting IT professionals. The group uses novel techniques to gain access to systems, maintain persistence, and launch sophisticated ransomware attacks for financial gain.
Hunters International has quickly risen to prominence as the 10th most active ransomware group in 2024 thanks to its possession of Hive ransomware, which it leverages as a ransomware-as-a-service (RaaS) provider to work with less sophisticated actors and spread Hive more quickly.
The group disguises its malware as legitimate software using valid code-signing certificates and establishes persistence by modifying the system registry and creating directories for command and control (C2) communication.
Organizations are advised to be vigilant for indicators of compromise related to SharpRhino and to refer to the provided Mitre ATT&CK Mapping for defense and evasion, discovery, privilege escalation, execution, and persistence processes associated with the RAT.