Sharprhino

SharpRhino is a new malware employed by Hunters International, a group linked to Russia, with the primary purpose of infiltrating targeted infrastructure and establishing persistence. The malware disguises itself as the open-source network-administration tool, Angry IP Scanner, using typosquatting domains, a method that tricks users into downloading it instead of the legitimate software. Upon execution, SharpRhino provides the attackers with remote access to the device, enabling them to maintain this access and launch subsequent attacks. This malware represents an evolution in ransomware development tactics, aligning with trends observed in other notable examples such as Hive and BlackCat. The researchers discovered that SharpRhino uses a valid certificate signed by J-Golden Strive Trading Co. Ltd, making it appear as legitimate software. The file that delivers the malware is a Nullsoft Scriptable Installer System (NSIS)-packed executable, which most compression tools can understand and read. Qurom Cyber has provided a list of indicators of compromise for SharpRhino, aiding organizations in identifying if they have inadvertently downloaded the Remote Access Trojan (RAT) instead of the intended legitimate tool. Ultimately, SharpRhino's objective is to provide Hunters International with persistent control over a targeted system to launch sophisticated ransomware attacks for financial gain. These attacks are not sector or region-specific; instead, they are launched opportunistically.