The fast-rising ransomware group Hunters International is using a novel remote access trojan (RAT) in attacks targeting IT workers, a sign that the bad actors are continuing the evolve their techniques.

Threat researchers with Quorum Cyber said the new malware, called SharpRhino due to its use of the C# programming language, is delivered via a typosquatting domain that impersonating Angry IP Scanner, an open source tool used to scan IP addresses and ports. Because it is open source, the threat groups can misuse valid code signing certificates, giving the malware the illusion of being a legitimate networking tool.

In this case, the certificate was signed by J-Golden Strive Trading Co., Ltd., according to a Quorum Cyber report.

Hunters International, which runs a ransomware-as-a-service (RaaS) that deploys ransomware from the now-defunct Hive group, uses SharpRhino first for initial infection of the targeted network and then as a RAT that pushes the attack forward.

“Using previously unseen techniques, the malware is able to obtain a high level of permission on the device in order to ensure the attacker is able to further their targeting with minimal disruption,” Michael Forret, threat intelligence analyst with Quorum Cyber, wrote in the report, adding that the malware “represents an evolution in the tactics, techniques, and procedures (TTPs) of Hunters International, demonstrating the continuous advancement of capabilities by Ransomware-as-a-Service (RaaS) threat groups.”

A RaaS Group on the Rise

Hunters International, which is suspected of being from Russia, first appeared in October 2023 and is becoming among the most active RaaS groups, claiming responsibility for 134 attacks during the first seven months of 2024, Forret wrote. Operating as a RaaS group lets other less sophisticated bad actors to use the ransomware in their own attacks and is likely a key reason for their fast rise in the expanding and evolving ransomware scene, Forret wrote.

Hunters International and its affiliates, like many other ransomware groups, runs double-extortion attacks, first exfiltrating files from organizations and then encrypting it before demanding payment. The encryptor is written in Rust, a programming language that cybercrime groups are adopting because of its security features and resistance to being reverse engineered.

Other groups, such as Hive and BlackCat – also known as ALPHV – also shifted to using Rust for their malware.

GuidePoint Security researchers in June noted that Hunters International “maintains an unusually sophisticated Data Leak Site (DLS) considering its length of operations, which may indicate the involvement of experienced operators, a Rebrand of another RaaS group, or Hunters’ functioning as a Splinter group from another RaaS group.”

The group has been linked to Hive, a highly active RaaS gang that closed operations after U.S. and international law enforcement agencies seized its infrastructure and doled out decryption keys to victim organizations. Hunters International said on its leak site that it bought Hive’s code following the raid.

Infection Starts with a RAT

With SharpRhino, the infection starts when a network administrator or another IT worker downloads and executes what they believe is the Angry IP Scanner, Forret wrote, describing the file as a common “NSIS (Nullsoft Scriptable Installer System) packed executable.”

It’s not unusual for threat groups to use Angry IP Scanner or similar tools to gain initial access. CISA and the FBI in an advisory earlier this year noted the Phobos ransomware group accessing networks by using IP scanning tools like Angry IP Scanner to search for vulnerable remote desktop protocol (RDP) ports.

Threat intelligence analysts with cybersecurity firm Zscaler reported in April about a threat actor running  a campaign run between November 2023 and March that included using malicious domains to spoof legitimate IP scanners – including Angry IP Scanner – and other software used by enterprise IT security and network administrators and abusing Google Ads for malvertising to push those sites to the top of search results.

For persistence with SharpRhino, the NSIS installer modifies the Run\UpdateWindowsKey registery with a shortcut for Microsoft.AnyKey. It also creates two directories – WindowsUpdater24 and LogUpdateWindows – in C:\ProgramData\Microsoft that include binaries and files to establish command-and-control communications with the attacker.

The C# source code is highly obfuscated using jargon variable names, functions, and classes Forret wrote.

Quroum Cyber’s report also includes MITRE ATT&CK mapping and indicators of compromise (IoCs) for both SharpRhino and Hunters International.