August 7, 2024 at 01:37AM
Hunters International, a ransomware-as-a-service gang suspected of rebranding from the Hive crew, has been targeting network admins with malware disguised as Angry IP Scanner. The group’s use of double extortion attacks and rise to the top ten most detected ransomware mobs has positioned them as a significant threat, having been linked to 134 attacks in the first seven months of 2024.
Based on the meeting notes, the new malware called SharpRhino, attributed to the upstart criminal gang Hunters International, is using a disguised version of the popular networking tool Angry IP Scanner to target network admins. The malware is hidden in a fake version of the scanning tool posted on typo-squatted websites with slightly misspelled URLs. It was discovered by Quorum Cyber and has been in circulation since mid-June.
The trojan’s executable is named “ipscan-3.9.1-setup.exe,” and it consists of a 32-bit Nullsoft installer containing a password-protected 7z archive. The malware alters the Run\UpdateWindowsKey registry to direct to an application named Microsoft.AnyKey.exe and sets up to communicate with two command and control systems for carrying out its malicious activities.
Once installed, Hunters International can use remote access to spread across the network and deploy more malware and info-stealing code. SharpRhino uses a Rust-based encryptor to encrypt files as .locked, and it also has a ransomware payment page on the Tor network.
According to Quorum Cyber’s analysts, the tactics, code similarities, and attack vectors strongly suggest that this malware is the work of Hunters International, a ransomware-as-a-service gang that has risen to the top ten most detected ransomware mobs. The gang’s rapid rise and its use of the Hive ransomware in the early days lead many to belief that the Hunters are the rebranded Hive crew. The malware shares about 60 percent of its code with Hive’s original malware.
Hunters International is known for the double extortion attack, where data is copied and stolen before encrypting corporate servers. If the victim doesn’t pay for the decryption key, the gang threatens to make the stolen information public. While the gang hasn’t been recorded trying to extort money from a target’s customers using the stolen data, it has claimed responsibility for 134 attacks in the first seven months of 2024, positioning itself as a Ransomware-as-a-Service provider, enabling other potentially less sophisticated threat actors to conduct additional attacks.
It’s also worth noting that the group has claimed responsibility for attacks around the world, except for Russia, likely due to ransomware operators’ presumption that not targeting Russian entities will protect them from local authorities.
In summary, the SharpRhino malware, attributed to Hunters International, represents a serious threat to organizations and individuals, and its rise and tactics merit continued vigilance and response from cybersecurity professionals.