Ransomware Group Targets IT Workers by Impersonating Legitimate Scanning Tool
The Hunters International threat group is targeting IT workers by impersonating a legitimate IP and port scanning tool to deliver malware to gain initial access to networks. Hunters International is a ransomware group that first emerged in October 2023. The group has been linked with the Hive ransomware group, which was the subject of a law enforcement operation and shut down in January 2023. While security researchers have suggested Hunters International was a rebrand of Hive due to a 60% code overlap with Hive, the group claims to have purchased the Hive code and that it is an independent group.
Hunter’s International is not the most prolific ransomware group but has conducted more than 130 attacks so far this year. As the group’s name suggests, attacks are conducted worldwide, with the threat actor claiming victims in around 30 countries. The group primarily hunts for data, which is exfiltrated from victims’ networks. Threats are issued to publish the stolen data if a ransom is not paid, with the attacks often including file encryption.
Hunters International poses a significant threat to the healthcare and public health (HPH) sector and has already conducted several attacks on U.S. healthcare organizations including Arisa Health, Integris Health, Northeast Rehabilitation Hospital Network, Fred Hutchison Cancer Center, Covenant Care, Crystal Lake Health Centers, Therapeutic Health Services, BeneCare Dental Insurance, and Betances Health Center.
The group’s tactics, techniques, and procedures (TTPs) are constantly evolving. The group is known to gain initial access via phishing emails, social engineering, supply chain attacks, and Remote Desktop Protocol (RDP), and now a new method of gaining initial access has been identified by security researchers at Quorum Cyber. During a recent ransomware investigation, the researchers identified a new malware variant that has not previously been linked with any other threat group. The malware is written in C# and has been dubbed SharpRhino, and is a Remote Access Trojan that provides the group with initial access to victims’ networks.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Hunters International is targeting IT workers, as their accounts are likely to have high privileges. The malware is delivered via a typosquatting domain that masquerades as Angry IP Scanner, a legitimate IP address and port scanning tool. When the malware is executed, it establishes persistence by modifying the registry and gives the hackers remote access to the device.
The file downloaded from the typosquatting domain is named ipscan-3.9.1-setup.exe, and is a 32-bit Portable Executable (PE) Nullsoft installer with a self-extracting password-protected archive. The installer drops a LogUpdate.bat file which executes PowerShell scripts to compile C# into memory for malware execution. The malware is able to execute PowerShell commands on the compromised device and is eventually used to deliver the ransomware payload.
Quorum Cyber has shared its analysis of the malware and Indicators of Compromise (IoCs) for network defenders here.
