CTI Roundup: SharpRhino RAT Threatens IT Admins, Phishers Leverage Google Drawings and WhatsApp Links

In this week’s roundup, CTI looks into the discovery of a previously unknown remote access trojan (RAT), which cybersecurity researchers are calling SharpRhino. Next, CTI highlights a Sophos report that details how ransomware groups are becoming increasingly aggressive. Finally, CTI investigates a new phishing campaign that leverages Google Drawings and WhatsApp links to evade detection.

1. SharpRhino RAT threatens IT admins

The Quorum Cyber Incident Response Team recently discovered a previously unknown malware which the group is now calling SharpRhino.

The attack has been attributed to an actor named Hunters International. The group delivers the SharpRhino RAT to victims using a typosquatting domain pretending to be the open-source Angry IP Scanner tool.

Who is Hunters International?

According to Quorum Cyber, Hunters International is the 10th most active ransomware group in 2024. The group, which was first observed in 2023, is believed to be connected to the defunct Russian-based Hive ransomware operation.

Hunters International operates like many ransomware-as-a-service (RaaS) operations, by encrypting files and exfiltrating data from victim environments. The group’s encryptor was developed in Rust and has a high level of sophistication. Hunters International has targeted organizations across the globe and across various sectors.

SharpRhino RAT analysis

The initial malware — a file called “ipscan-3.9.1-setup.exe” — is a Nullsoft installer with a self-extracting archive.

• NSIS installer: Victims download SharpRhino believing they are installing the legitimate AngryIP installer. The installer contains a password-protected archive that is extracted using embedded 7za.exe and 7za.dll.
• Persistence: The malware establishes persistence by modifying a registry run key. It alters the registry with a shortcut for “Microsoft.AnyKey.exe” which is packed with the legitimate Microsoft Visual Studio 2019.
• Multiple installations: The installer creates two directories including WindowsUpdater24 and LogUpdateWindows. Both directories have binaries and files that are later used for C2 communication. The creation of two directories instead of one is likely for additional persistence.
• Execution: The malware’s C# code is heavily obfuscated. The source code loads into an integrated development environment (IDE) and once executed, sends an HTTP POST request with JSON request data. Quorum Cyber determined that the malware responds to two hardcoded commands including “delay” and “exit.” The delay command will “reconfigure the timer before the malware makes another POST request to retrieve the next command” and the exit command simply exists the loop.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Hunters International has proven to be a significant threat, already claiming 134 attacks in 2024.

Part of the reason why the RaaS provider is so successful is because it regularly introduces new capabilities to its offering, like SharpRhino.

This technique is not technically sophisticated but is becoming incredibly common and therefore is a reminder to be vigilant and cautious when searching for downloads.

2. Ransomware gangs ramp up pressure on targets

According to a Sophos report, ransomware groups are becoming increasingly aggressive when convincing victims to make payments.

Ransomware groups are now using a combination of old and new tactics, marking a clear evolution in their approach. Sophos breaks these tactics down into different categories including legislation and litigation, ethics, reputational damage, embarrassment, sensitive data, and swatting.

Legislation and litigation tactics

Sophos has observed several cases where ransomware actors have weaponized legislation or encouraged secondary victims like clients, customers, or employees to increase pressure on victim organizations by filing lawsuits. One such example was a BlackCat incident in November 2023 where the actor filed an SEC complaint against one of the victims claiming the company failed to notify the agency of the breach.

Another example involved the Monti ransomware gang. This operation claimed that an employee of one of the compromised organizations was searching for inappropriate material, posting supporting browser history and a PowerShell window that displayed the username of the supposed offender. The ransomware gang went on to state that they would report the user to authorities if the ransom was not paid.

Ransomware actors are also encouraging people who had their personally identifiable information (PII) exposed in a breach to partake in litigation, and naming specific individuals that they claim to be responsible.

Ethics, reputational damage, and embarrassment tactics

These tactics are commonly observed when ransomware actors claim to be ethical, pretend to be pen testers, or pretend to conduct security audits. Actors often will note that their victims were “irresponsible” or “negligent” in hopes that the public will see the organization in a bad light and view the actor as benevolent.

Sophos observed multiple instances where actors have threatened to reach out to customers or partners of a compromised organization to create more pressure. In these instances, the actor applied pressure from more than one angle including media, customers, clients, or regulatory bodies.

Sensitive data, swatting, and more

Ransomware groups often publish stolen information after their attacks. Actors have released medical information including mental health records, medical records of children, blood test data, and more.

In one extreme example, the Qiulong ransomware group posted images of identity documents belonging to a CEO’s daughter, along with a direct link to her Instagram profile. More recently, in January 2024 a threat actor threatened to “swat” patients at a cancer hospital.

Analyst comments from Tanium’s Cyber Threat Intelligence team

As the Sophos report indicates, ransomware operators are becoming increasingly aggressive in their campaigns. It also demonstrates how ransomware groups are evolving and using both old and new tactics to intimidate victims.

Many of the new tactics, like phone calls and swatting, reveal how actors are willing to ‘move threats from the digital sphere and into the real world.’ These tactics show how ransomware actors are becoming more sophisticated by using multiple angles to threaten victims.

3. New phishing scam leverages Google Drawings and WhatsApp links

Menlo Security has discovered a new phishing campaign that leverages Google Drawings and WhatsApp shortened links to evade detection.

In this campaign, the threat actor deploys a phishing email and asks the victim to confirm their Amazon account information. They also include a graphic that is hosted on Google Drawings. The fake site ultimately harvests the victims’ credentials, credit card information, and other personal details.

The phishing email

Victims receive a phishing email that asks them to verify their Amazon account while claiming they were suspended for unusual sign-in activity.

The threat actor will attempt to create a sense of urgency by giving the victim 24 hours to verify the account or face a permanent suspension.

The phishing site

If the user clicks on a button to verify their account, they are led to a phishing site that mimics the legitimate Amazon sign-in page. The link was crafted using a WhatsApp URL shortener. The shortened URL is also appended with another URL shortener service for dynamic QR codes.

Data theft

After the user inputs their Amazon login credentials, they are guided through four different pages — each one aiming to convince the user that they are engaging in some sort of activity to secure their account.

Throughout each of the pages, the threat actor collects various information. Menlo notes that the victim does not have to make it all the way through all four pages to have their data stolen as information is sent after each page.

Here is a breakdown of the process:

• The Security Checkup page will ask the victim to enter information like the mother’s maiden name, date of birth, and phone number.
• The user will then be directed to a billing page and asked for credit card information.
• After completing the four pages, they are redirected to the original phishing page.
• Menlo has confirmed that “once the credentials have been entered and validated, the webpage is no longer accessible from the same IP address.”

Analyst comments from Tanium’s Cyber Threat Intelligence team

This phishing campaign is slightly more comprehensive than traditional campaigns. Not only does the threat actor attempt to collect credentials and credit card information, but also common security questions like their mother’s maiden name. This piece of information, when combined with other basic stolen information, could allow a threat actor to log in to other accounts that ask for similar security questions.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.