Quorum Cyber Identifies New RAT from Hunters International

“`html
Short Summary:

Hunters International, a ransomware group that emerged in October 2023, has quickly become the 10th most active ransomware group in 2024. They operate as a Ransomware-as-a-Service (RaaS) provider, facilitating attacks by less sophisticated actors. Their tactics include data exfiltration, sophisticated encryption techniques, and targeting various sectors opportunistically, while avoiding Russian-influenced regions.

Key Points:

  • Hunters International first observed on October 20, 2023.
  • Ranked as the 10th most active ransomware group in 2024.
  • Attributed to the defunct Hive ransomware group due to code similarities.
  • Claimed responsibility for 134 attacks in the first seven months of 2024.
  • Operates as a Ransomware-as-a-Service (RaaS) provider.
  • Utilizes sophisticated encryption coded in Rust.
  • Targets organizations opportunistically across various sectors.
  • Avoids targeting organizations within Russian-influenced CIS regions.

MITRE ATT&CK TTPs – created by AI

  • T1497.001 – Virtualization/Sandbox Evasion: System Checks
    • ipscan-3.9.1-setup.exe called GetDiskFreeSpaceExW
  • T1134 – Access Token Manipulation
    • 7za.exe sets privilege: SeRestorePrivilege
    • 7za.exe sets privilege: SeCreateSymbolicLinkPrivilege
    • 7za.exe sets privilege: SeSecurityPrivilege
    • ip-3.9.1-setup.exe called NtOpenThreadToken
    • ip-3.9.1-setup.exe called NtOpenProcessToken
  • T1497.003 – Virtualization/Sandbox Evasion: Time Based Evasion
    • A thread of ipscan-3.9.1-setup.exe sleeps for 66 seconds
  • T1027.002 – Obfuscated Files or Information: Software Packing
    • ipscan-3.9.1-setup.exe is a NSIS archive
  • T1036.001 – Masquerading: Invalid Code Signature
    • Digital signature of ipscan-3.9.1-setup.exe failed verification
  • T1027.004 – Obfuscated Files or Information: Compile After Delivery
    • csc.exe is called to compile source code from command-line
  • T1480 – Execution Guardrails
    • ipscan-3.9.1-setup.exe called GetUserDefaultLCID
  • T1543.003 – Create or Modify System Process: Windows Service
    • ServicesMSDTCDelayedAutostart is written
  • T1135 – Network Share Discovery
    • ipscan-3.9.1-setup.exe called NetShareEnum
  • T1059.003 – Command and Scripting Interpreter: Windows Command Shell
    • cmd.exe process is launched to execute WindowsUpdate.bat
  • T1059.001 – Command and Scripting Interpreter: PowerShell
    • Attempt of execution in a hidden window
  • T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
    • RunUpdateWindowsKey registry is written
  • T1071.001 – Application Layer Protocol: Web Protocols
    • HTTPS is used to communicate with a C2 server on Cloudflare Workers
  • T1573 – Encrypted Channel
    • HTTPS is used to communicate with a C2 server on Cloudflare Workers

“`

Threat Actor Summary

First observed on 20th October 2023, Hunters International has carved out a significant portion of the threat landscape by becoming the 10th most active ransomware group in 2024. Despite the group denying it, many experts in the cyber intelligence community have attributed Hunters International to the now defunct, Russian based Hive ransomware group due to compelling similarities in the ransomware source code.

So far, Hunters International has claimed responsibility for 134 attacks in the first seven months of 2024. The group has positioned itself as a Ransomware-as-a-Service (RaaS) provider, thereby enabling other potentially less sophisticated threat actors with tooling to conduct additional attacks. Being a RaaS provider is highly likely a main cause for their fast rise to notoriety.

Encryption and demand

Typical of ransomware operators, Hunters International exfiltrates data from victim organisations prior to encrypting files, changing file extensions to .locked, and leaving a README message guiding recipients to a chat portal on the TOR network for payment instructions.

The encryptor itself exhibits a sophisticated design, coded in Rust, a programming language increasingly favoured by cybercriminals for its security features, efficiency, and resistance to reverse engineering. This tactic is in line with the evolution observed in the ransomware development, with notable examples including both Hive and BlackCat.

Figure 1: Hunters International ransom note

Targeting Profile

Hunters International, like most organised ransomware groups, is motivated by the opportunity for financial gain. As such, the group does not appear to prioritise any specific sector over others, and instead targets via opportunistic means. However, to date Hunters International has not targeted any organisation based within the Russian influenced Commonwealth of Independent States (CIS), thereby adding confidence to the assessment that the group has affiliate ties to Russia.

Figure 2: Hunters International targeted countries

For a more thorough analysis and insight into Hunters International, please see our report on the Quorum Cyber website here.

Filename, File Size, File Type

The initial malware was identified as `ipscan-3.9.1-setup.exe` and can be described as 32-bit Portable Executable (PE) Nullsoft installer with a self-extracting archive.

Hashes (MD5, SHA1, SHA256)

  • MD5: 4bba5b7d3713e8b9d73ff1955211e971
  • SHA1: 9473104a1aefb0daabe41a92d75705be7e2daaf3
  • SHA256: 09b5e780227caa97a042be17450ead0242fd7f58f513158e26678c811d67e264

Signing Information

The RAT has a valid code certificate and is masquerading as a legitimate network administration tool called AngryIP. This tool is open source, allowing a malicious actor to abuse and misuse valid code signing certificates.

Code Certificate

  • Name: J-Golden Strive Trading Co., Ltd.
  • Issuer: GlobalSign GCC R45 EV CodeSigning CA 2020
  • Valid From: 07:40PM 06/12/2024
  • Thumbprint: 0C07296EDF29D3333B63A2A63935BD15FFDE5596
  • Serial Number: 01 D6 35 04 53 DB E2 DB CD 8C 4B 1A

NSIS Installer

SharpRhino propagates by impersonating a legitimate open-source administration tool called AngryIP. The victim downloaded and executed this malware believing it to be the legitimate installer. EXEInfo identified indicators suggesting the file was an NSIS (Nullsoft Scriptable Installer System) packed executable.

Figure 3: EXEinfo output against ipscan-3.9.1-setup.exe

NSIS packed executables are very common and, as a result, most compression tools like 7zip can understand and read these files. Using 7zip, we can inspect the contents of the malicious installer.

Figure 4: Contents of the malicious installer

The installer contains an additional binary called ipsscan-3.9.1-setup.exe and a password protected 7z archive. Note that this method will only show embedded files within the NSIS binary and not code to be executed upon launching the installer.

To further the investigation, we needed access into the password protected archive. There were two possible methodologies to determine the password. The first would be to reverse the installer and look for the almost certainly encrypted and obfuscated password, which would be time consuming and laborious. The second option was to detonate the malware and capture logs – which is the method we chose for two reasons.

  1. It is very likely the embedded 7za.exe was required for extraction – and as such, command-line logs would be left behind after detonation
  2. The analysis was required as part of a time-sensitive investigation.

As expected, the embedded 7z archive is extracted using the embedded 7za.exe and 7za.dll. Capturing this command-line reveals the password for the archive as TG98HJerxsdqWE45.

Figure 5: Process spawned by the NSIS executable to extract the embedded archive

With the archive password, we can extract the archive separately to continue the investigation.

Figure 6: Contents of the password protected archive within the NSIS installer

Detonating the malware also revealed some other characteristics of the NSIS installer. Persistence is established by modifying the RunUpdateWindowsKey registry with the shortcut for Microsoft.AnyKey, highlighted in Figure 6. The shortcut points to the installation location for Microsoft.AnyKey.exe and some additional parameters.

Using OSINT (Open-Source Intelligence), the binary Microsoft.AnyKey.exe has been identified as LOLBIN (Living off the Land Binary) typically packaged with Microsoft Visual Studio 2019 Node JS tools. However, in this case, this binary has been brought over by the attacker.

Figure 7: https://lolbas-project.github.io/lolbas/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey/

The LOLBIN is used to execute the file LogUpdate.bat originally packed within the password protected archive and dropped by the NSIS installer. The snippet below of the .bat file shows reference to a .t file. Through further obfuscated PowerShell, this .t file is executed.

Figure 8: Beautified code snippet from LogUpdate.bat

The NSIS installer establishes two directories within C:ProgramDataMicrosoft called WindowsUpdater24 and LogUpdateWindows. Analysis has revealed that both directories ultimately contain binaries and files to facilitate Command and Control with the attacker as the final deobfuscated product is identical:

  • C:ProgramDataMicrosoftWindowsUpdater24 contains the files to be executed upon initial execution of the NSIS installer
  • C:ProgramDataMicrosoftLogUpdateWindows contains the files required to establish persistence by the threat actor.

Figure 9: File structure of C:ProgramDataMicrosoftWindowsUpdate24

This is almost certainly to facilitate a fallback mechanism. If the folder WindowsUpdater24 and its contents are discovered by a security engine or professional, there exists the possibility that the persistence mechanism will remain, and the device will remain infected.

This report will conduct the investigation from the persistence mechanism and the folder C:ProgramDataMicrosoftLogUpdateWindows.

As the investigation followed the execution trial, the next step was to analyse the batch file LogUpdate.bat referenced in the Microsoft.AnyKey.lnk shortcut as part of the persistence mechanism.

Figure 10: LogUpdate.bat contents

This batch file assigns the path C:ProgramDataMicrosoftLogUpdateWindowsWiaphoh7um.t to a variable – which is later executed in the batch file.

The .t file appears to be more PowerShell. Scanning the .t file reveals some characteristics and clues as to its nature.

Figure 11: First snippet of the raw .t file as it appears

Figure 12: Second snippet of the raw.t file as it appears

  • Lines 2, 3, and 4 suggests encoding using PowerShell Secure Strings.
  • Lines 5, 6, and 7 appear to concatenate strings that reference Dynamically Linked Libraries (DLL).
  • Line 8 appears to build a string for a web address.
  • Line 9 appears to process a string and compile C# source code. This suggests the string on Line 3 is source code.
  • Line 10 appears to execute some jargon class and function names which are almost certainly objects compiled from the C# source code.

Tidying up the .t file helps to understand its purpose. It is a PowerShell script that compiles C# code and loads the compiled binary into memory – a form of fileless malware. Once the malware is loaded into memory, functions are called within the malware. The first parameter passed to the HPlu function is a web address for Cloudflare’s Serverless Architecture.

Figure 13: Tidied up version of the .t file

This address will likely be Hunters International’s Command-and-Control (C2) infrastructure. This will need to be confirmed before responding to the incident investigation explaining how the device was compromised.

To accomplish this, the .t file was modified to write out the source code to a file rather than compiling and executing.

Figure 14: Modified .t file to write C# source code to a file

The next step of the investigation is directed towards the extracted C# source code written out by the modified .t file. As expected, the C# source code is highly obfuscated with jargon variable names, functions and classes. While having the source code is a luxury, deobfuscating code is a time-consuming operation not appropriate for an incident response setting.

Loading the source code into an integrated development environment (IDE) is an excellent time-saver as it highlights code not utilised and facilities useful features like symbol renaming.

Figure 15: Snippet of the C# source code in an IDE. Highlighted by the squares are the objects referenced by the .t file

Highlighted by Figure 15 are the objects referenced by the .t file.

To direct the analysis efforts on the C# source code and guide the deobfuscation efforts, the .t files were executed. However, rather than attempting to communicate with the attacker’s server, instead we shall communicate with a server under our control.

Figure 16: Modified .t file so that communication is directed towards a server under our control

By establishing communication with the malware, we can observe the kind of communication expected between the malware and the attacker’s infrastructure.

Upon execution, the malware is sending a HTTP POST request with JSON request data. The Data field in the JSON object appears to contain base64 encoded data based on the characters present – however, attempting to decode with base64 returns jargon data suggesting it is likely encrypted. The goal of the analysis against the C# source code is to understand and perhaps remove the encryption.

Figure 17: Communication between the unmodified malware and our server

The C# code below presents all the hallmarks of an encryption routine. It accepts byte objects, consists of for loops with one loop containing XOR operations. We have assessed that this function is very likely responsible for encryption, and as such, the function was renamed to resemble its functionality.

Figure 18: Assessed encryption routine within the C# source code

This assessed encryption routine is referenced only once within the code in the function below. This function was renamed to encryptionWrapper to best describe its functionality.

Figure 19: Error handling function for the assessed encryption routine

To bypass the encryption, the encryptionWrapper function was modified to return the data passed into it as opposed to calling encryption.

Figure 20: Modified error handling function to simply return the unmodified data

Note that all base64 operations were kept in place and unmodified.

Executing the modified .t file and setting up the listener on our server – without the encryption in place, we can see exactly the kind of information sent to the attacker’s server.

Figure 21: Communication between our controlled server and the encryption free malware

Notably, the information includes the string register. This is almost certainly a command to register the implant with the attacker’s C2 infrastructure. Secondly, there is a jargon string. The purpose of this string is not entirely clear and may require examining code on the attacker’s end to fully understand its purpose but it could either be a unique identifier for decryption or just authentication. Note this string is also in the ID field of the JSON object. Finally, the register command includes with it the device name and username.

Now that we understand the malware’s language, our investigation’s goal was to establish full communication to fully understand its potential. To aid in this, the C# source code was deobfuscated further, revealing the malware is configured to respond to two hard-coded commands, delay and exit.

Figure 22: Code within the malware designed to handle specific commands.

The delay command will reconfigure the timer before the malware makes another POST request to retrieve the next command, whereas the exit command will simply terminate the loop responsible for sending the POST requests. This exercise also revealed the purpose of the “95000” value passed to the function that started the malware. This value is the interval between each POST request. This was discovered by setting the value to 0 and bricking our server as it was flooded with POST requests. Sending a delay command will overwrite this value.

There is a final branch in the if statement displayed in Figure 22. This branch spawns a thread, so this is where the investigation went.

Figure 23: The C# function responsible for executing PowerShell commands

Inspecting this function reveals it uses something called a Runspace. A google search on this class shows it is part of the PowerShell SDK (Software Development Kit). Therefore, we can make the educated guess that the function we have called injectCommand will execute PowerShell.

We have enough to build a response to send back to the malware now.

To effectively communicate with the malware, a very rudimentary C2 server was built. It won’t handle multiple implants or provide management features – however, it will send any response we hardcode. As a proof-of-concept, we attempted to launch the calculator application present on virtually all modern Windows systems.

Figure 24: Listener established with our customer C2 server

Launching the malware sends the register command to our server. Sixty seconds later, another HTTP POST request is sent expecting to receive a command. It receives our Start-Process calc.exe command and we are greeted with the calculator application on our infected lab.

Figure 25: The calculator application spawned by the malware

As a result of our thorough analysis, we can say with 100% confidence how SharpRhino operates. From the user clicking the original installer to communication with the attacker’s infrastructure and ultimately how initial access was achieved. SharpRhino provided enough granular control to launch a sophisticated ransomware attack.

Defence-evasion

ID Technique Observed Details
T1497.001 Virtualization/Sandbox Evasion: System Checks ipscan-3.9.1-setup.exe called GetDiskFreeSpaceExW
T1134 Access Token Manipulation 7za.exe sets privilege: SeRestorePrivilege
7za.exe sets privilege: SeCreateSymbolicLinkPrivilege
7za.exe sets privilege: SeSecurityPrivilege
ip-3.9.1-setup.exe called NtOpenThreadToken
ip-3.9.1-setup.exe called NtOpenProcessToken
T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion A thread of ipscan-3.9.1-setup.exe sleeps for 66 seconds
T1027.002 Obfuscated Files or Information: Software Packing ipscan-3.9.1-setup.exe is a NSIS archive
Shannon entropy of .rsrc section is 6.66
T1036.001 Masquerading: Invalid Code Signature Digital signature of ipscan-3.9.1-setup.exe failed verification
T1027.004 Obfuscated Files or Information: Compile After Delivery csc.exe is called to compile source code from command-line
T1480 Execution Guardrails ipscan-3.9.1-setup.exe called GetUserDefaultLCID
T1543.003 Create or Modify System Process: Windows Service ServicesMSDTCDelayedAutostart is written

Discovery

ID Technique Observed Details
T1497.001 Virtualization/Sandbox Evasion: System Checks ipscan-3.9.1-setup.exe called GetDiskFreeSpaceExW
T1135 Network Share Discovery ipscan-3.9.1-setup.exe called NetShareEnum
T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion A thread of ipscan-3.9.1-setup.exe sleeps for 66 seconds

Privilege-escalation

ID Technique Observed Details
T1134 Access Token Manipulation 7za.exe sets privilege: SeRestorePrivilege
7za.exe sets privilege: SeCreateSymbolicLinkPrivilege
7za.exe sets privilege: SeSecurityPrivilege
ip-3.9.1-setup.exe called NtOpenThreadToken
ip-3.9.1-setup.exe called NtOpenProcessToken
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder RunUpdateWindowsKey registry is written
T1543.003 Create or Modify System Process: Windows Service ServicesMSDTCDelayedAutostart is written

Execution

ID Technique Observed Details
T1059.003 Command and Scripting Interpreter: Windows Command Shell cmd.exe process is launched to execute WindowsUpdate.bat
T1059.001 Command and Scripting Interpreter: PowerShell Attempt of execution in a hidden window
High entropy of PowerShell (5.248)

Persistence

ID Technique Observed Details
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder RunUpdateWindowsKey registry is written
T1543.003 Create or Modify System Process: Windows Service ServicesMSDTCDelayedAutostart is written

Command & Control

ID Technique Observed Details
T1071.001 Application Layer Protocol: Web Protocols HTTPS is used to communicate with a C2 server on Cloudflare Workers
T1573 Encrypted Channel HTTPS is used to communicate with a C2 server on Cloudflare Workers

SharpRhino RAT

Hashes

Value SHA-256 File
D2E7729C64C0DAC2309916CE95F6A8253CA7F3C7A2B92B452E7CFB69A601FBF6 LogUpdate.bat
3F1443BE65525BD71D13341017E469C3E124E6F06B09AE4DA67FDEAA6B6C381F Wiaphoh7um.t
223AA5D93A00B41BF92935B00CB94BB2970C681FC44C9C75F245A236D617D9BB ipscan-3.9.1-setup.exe
9A8967E9E5ED4ED99874BFED58DEA8FA7D12C53F7521370B8476D8783EBE5021 kautix2aeX.t
B57EC2EA899A92598E8EA492945F8F834DD9911CFF425ABF6D48C660E747D722 WindowsUpdate.bat
09B5E780227CAA97A042BE17450EAD0242FD7F58F513158E26678C811D67E264 ipscan-3.9.1-setup.exe

Domains

Value Details
cdn-server-1[.]xiren77418[.]workers[.]dev Command & Control
cdn-server-2[.]wesoc40288[.]workers[.]dev Command & Control
Angryipo[.]org Initial Download Site
Angryipsca[.]com Initial Download Site

Hunters International

Domains

Value Details
ec2-3-145-180-193.us-east-2.compute[.]amazonaws[.]com/ Command & Control
ec2-3-145-172-86.us-east-2.compute[.]amazonaws[.]com Command & Control

Key assessments within this report have been written using the Intelligence Terminology Yardstick. The assessed likelihood of events corresponds with pre-defined language to remove areas of uncertainty when ingesting Quorum Cyber Intelligence reports.

Intelligence Cut-off Date (ICoD): 02/08/2024 12:00 UTC

Source: https://www.quorumcyber.com/insights/sharprhino-new-hunters-international-rat-identified-by-quorum-cyber/