A novel remote access trojan (RAT) malware named SharpRhino was discovered targeting IT workers during a recent investigation that’s been connected to the Hunters International ransomware gang, considered the tenth most-active ransomware group in 2024.
Quorum Cyber researchers said in an Aug. 2 blog post that SharpRhino, so-named because of its use of the C# programming language, gets delivered through a typosquatting domain that impersonates the legitimate Angry IP Scanner.
Upon execution, SharpRhino establishes persistence and offers the attacker with remote access to the device, which is then used to continue the attack. Using techniques in line with the evolution observed in the ransomware development of groups such as Hive and BlackCat, the researchers said SharpRhino can obtain a high level of permission on a device to ensure that the attacker can continue its targeting.
Hunters International has claimed responsibility for 134 attacks during the first seven months of 2024, and appears to be mostly financially motivated targeting a broad range of vertical industries.
"Typosquatting and watering hole attacks are just one tool in the threat actor’s arsenal, used to prey on organizations,” said James Allman-Talbot, head of incident response and threat intelligence at Quorum Cyber. “SharpRhino serves as a reminder that threat actors, particularly ransomware groups, given the financial gain they seek, are constantly developing new capabilities and identifying new ways to infiltrate their victims.”
Venky Raju, Field CTO at ColorTokens, added that when IT personnel have spent hours debugging an issue and are mentally fatigued, they are more likely to fall victim to typosquatting attacks.
“When malicious ads serve these fake domains on popular search engines, it’s just a matter of when, not if, even experienced IT employees can get tricked into downloading and installing malicious software,” said Raju. “In many cases, the employee may use a privileged account to install the malicious software, making it even more difficult to defend against.”
The method of using legitimate-looking domains for delivery is a common method for opportunistic attackers, pointed out Tom Hegel, senior threat researcher at SentinelLabs. Hegel said typosquatting, SEO poisoning, and general search engine abuse are commonly observed in use from crimeware actors today.
“A good reason IT and technical-oriented individuals are targeted like this is because they often possess elevated access permissions,” said Hegel. “Compromise of such accounts/systems often leads to the attacker's success increasing.”
