Quorum Cyber Incident Response team recently identified a new malware called SharpRhino utilized by the threat actor group Hunters International during a ransomware incident. The malware, written in C#, was distributed through a typosquatting domain posing as Angry IP Scanner. 


Diving into details

  • SharpRhino is suspected to be the work of the Hunters International gang, a rebranded iteration of the notorious Hive ransomware group. The malware shares significant code similarities with Hive's original ransomware, indicating a potential connection.
  • The RAT installs a trojan executable that modifies system settings and establishes communication with command-and-control systems. Once embedded, SharpRhino can deploy additional malware and encrypt files with a Rust-based encryptor, demanding ransomware payments.


A bit on Hunters International

  • Hunters International, a prominent ransomware group, emerged in October 2023 and quickly rose to become the 10th most active group by 2024.
  • The group has claimed responsibility for 134 attacks in the first seven months of 2024 and operates as a Ransomware-as-a-Service (RaaS) provider, aiding less sophisticated threat actors in conducting attacks. 
  • Hunters International prioritizes financial gain and targets opportunistically across sectors, avoiding organizations in the Russian-influenced CIS, hinting at possible ties to Russia.


What else?

  • Turkish Android users were targeted by a new trojan known as BlankBot. This malware is still under development but can capture keystrokes, record screens, and create custom overlays to steal sensitive data. 
  • The developers behind BlankBot show sophistication by using open-source libraries and mimicking account pages to deceive users. BlankBot's commands allow threat actors to control infected devices, capture screen images, perform gestures, create overlays, collect data, and more. 
  • A new ransomware called CryptoKat has recently surfaced on the dark web. CryptoKat stands out for its use of AES encryption, fast encryption speed, unique executable files, and avoidance of Windows pop-ups. 
  • It also utilizes Fear, Uncertainty, and Doubt tactics to exploit vulnerabilities in Windows 11. One of the most alarming aspects of CryptoKat is that the decryption key is not stored on the victim's machine, making recovery difficult even after the ransomware is removed.


The bottom line

In today's cybersecurity landscape, organizations must remain vigilant against sophisticated threats as mentioned above. Implementing multi-layered security strategies is crucial to defense, including regular software updates, employee training, and robust backup solutions. Leveraging advanced threat detection and response technologies can help identify and mitigate potential attacks early. Establishing a comprehensive incident response plan ensures a quick and efficient recovery process, minimizing the impact of breaches.

Cyware Publisher

Publisher

Cyware