“`html
Short Summary:
Hunters International, a ransomware group that emerged in October 2023, has quickly become the 10th most active ransomware group in 2024. They operate as a Ransomware-as-a-Service (RaaS) provider, facilitating attacks by less sophisticated actors. Their tactics include data exfiltration, sophisticated encryption techniques, and targeting various sectors opportunistically, while avoiding Russian-influenced regions.
Key Points:
- Hunters International first observed on October 20, 2023.
- Ranked as the 10th most active ransomware group in 2024.
- Attributed to the defunct Hive ransomware group due to code similarities.
- Claimed responsibility for 134 attacks in the first seven months of 2024.
- Operates as a Ransomware-as-a-Service (RaaS) provider.
- Utilizes sophisticated encryption coded in Rust.
- Targets organizations opportunistically across various sectors.
- Avoids targeting organizations within Russian-influenced CIS regions.
MITRE ATT&CK TTPs – created by AI
- T1497.001 – Virtualization/Sandbox Evasion: System Checks
- ipscan-3.9.1-setup.exe called GetDiskFreeSpaceExW
- T1134 – Access Token Manipulation
- 7za.exe sets privilege: SeRestorePrivilege
- 7za.exe sets privilege: SeCreateSymbolicLinkPrivilege
- 7za.exe sets privilege: SeSecurityPrivilege
- ip-3.9.1-setup.exe called NtOpenThreadToken
- ip-3.9.1-setup.exe called NtOpenProcessToken
- T1497.003 – Virtualization/Sandbox Evasion: Time Based Evasion
- A thread of ipscan-3.9.1-setup.exe sleeps for 66 seconds
- T1027.002 – Obfuscated Files or Information: Software Packing
- ipscan-3.9.1-setup.exe is a NSIS archive
- T1036.001 – Masquerading: Invalid Code Signature
- Digital signature of ipscan-3.9.1-setup.exe failed verification
- T1027.004 – Obfuscated Files or Information: Compile After Delivery
- csc.exe is called to compile source code from command-line
- T1480 – Execution Guardrails
- ipscan-3.9.1-setup.exe called GetUserDefaultLCID
- T1543.003 – Create or Modify System Process: Windows Service
- ServicesMSDTCDelayedAutostart is written
- T1135 – Network Share Discovery
- ipscan-3.9.1-setup.exe called NetShareEnum
- T1059.003 – Command and Scripting Interpreter: Windows Command Shell
- cmd.exe process is launched to execute WindowsUpdate.bat
- T1059.001 – Command and Scripting Interpreter: PowerShell
- Attempt of execution in a hidden window
- T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- RunUpdateWindowsKey registry is written
- T1071.001 – Application Layer Protocol: Web Protocols
- HTTPS is used to communicate with a C2 server on Cloudflare Workers
- T1573 – Encrypted Channel
- HTTPS is used to communicate with a C2 server on Cloudflare Workers
“`
Threat Actor Summary
First observed on 20th October 2023, Hunters International has carved out a significant portion of the threat landscape by becoming the 10th most active ransomware group in 2024. Despite the group denying it, many experts in the cyber intelligence community have attributed Hunters International to the now defunct, Russian based Hive ransomware group due to compelling similarities in the ransomware source code.
So far, Hunters International has claimed responsibility for 134 attacks in the first seven months of 2024. The group has positioned itself as a Ransomware-as-a-Service (RaaS) provider, thereby enabling other potentially less sophisticated threat actors with tooling to conduct additional attacks. Being a RaaS provider is highly likely a main cause for their fast rise to notoriety.
Encryption and demand
Typical of ransomware operators, Hunters International exfiltrates data from victim organisations prior to encrypting files, changing file extensions to .locked, and leaving a README message guiding recipients to a chat portal on the TOR network for payment instructions.
The encryptor itself exhibits a sophisticated design, coded in Rust, a programming language increasingly favoured by cybercriminals for its security features, efficiency, and resistance to reverse engineering. This tactic is in line with the evolution observed in the ransomware development, with notable examples including both Hive and BlackCat.
Figure 1: Hunters International ransom note
Targeting Profile
Hunters International, like most organised ransomware groups, is motivated by the opportunity for financial gain. As such, the group does not appear to prioritise any specific sector over others, and instead targets via opportunistic means. However, to date Hunters International has not targeted any organisation based within the Russian influenced Commonwealth of Independent States (CIS), thereby adding confidence to the assessment that the group has affiliate ties to Russia.
Figure 2: Hunters International targeted countries
For a more thorough analysis and insight into Hunters International, please see our report on the Quorum Cyber website here.
Filename, File Size, File Type
The initial malware was identified as `ipscan-3.9.1-setup.exe` and can be described as 32-bit Portable Executable (PE) Nullsoft installer with a self-extracting archive.
Hashes (MD5, SHA1, SHA256)
- MD5: 4bba5b7d3713e8b9d73ff1955211e971
- SHA1: 9473104a1aefb0daabe41a92d75705be7e2daaf3
- SHA256: 09b5e780227caa97a042be17450ead0242fd7f58f513158e26678c811d67e264
Signing Information
The RAT has a valid code certificate and is masquerading as a legitimate network administration tool called AngryIP. This tool is open source, allowing a malicious actor to abuse and misuse valid code signing certificates.
Code Certificate
- Name: J-Golden Strive Trading Co., Ltd.
- Issuer: GlobalSign GCC R45 EV CodeSigning CA 2020
- Valid From: 07:40PM 06/12/2024
- Thumbprint: 0C07296EDF29D3333B63A2A63935BD15FFDE5596
- Serial Number: 01 D6 35 04 53 DB E2 DB CD 8C 4B 1A
NSIS Installer
SharpRhino propagates by impersonating a legitimate open-source administration tool called AngryIP. The victim downloaded and executed this malware believing it to be the legitimate installer. EXEInfo identified indicators suggesting the file was an NSIS (Nullsoft Scriptable Installer System) packed executable.
Figure 3: EXEinfo output against ipscan-3.9.1-setup.exe
NSIS packed executables are very common and, as a result, most compression tools like 7zip can understand and read these files. Using 7zip, we can inspect the contents of the malicious installer.
Figure 4: Contents of the malicious installer
The installer contains an additional binary called ipsscan-3.9.1-setup.exe and a password protected 7z archive. Note that this method will only show embedded files within the NSIS binary and not code to be executed upon launching the installer.
To further the investigation, we needed access into the password protected archive. There were two possible methodologies to determine the password. The first would be to reverse the installer and look for the almost certainly encrypted and obfuscated password, which would be time consuming and laborious. The second option was to detonate the malware and capture logs – which is the method we chose for two reasons.
- It is very likely the embedded 7za.exe was required for extraction – and as such, command-line logs would be left behind after detonation
- The analysis was required as part of a time-sensitive investigation.
As expected, the embedded 7z archive is extracted using the embedded 7za.exe and 7za.dll. Capturing this command-line reveals the password for the archive as TG98HJerxsdqWE45.
Figure 5: Process spawned by the NSIS executable to extract the embedded archive
With the archive password, we can extract the archive separately to continue the investigation.
Figure 6: Contents of the password protected archive within the NSIS installer
Detonating the malware also revealed some other characteristics of the NSIS installer. Persistence is established by modifying the RunUpdateWindowsKey registry with the shortcut for Microsoft.AnyKey, highlighted in Figure 6. The shortcut points to the installation location for Microsoft.AnyKey.exe and some additional parameters.
Using OSINT (Open-Source Intelligence), the binary Microsoft.AnyKey.exe has been identified as LOLBIN (Living off the Land Binary) typically packaged with Microsoft Visual Studio 2019 Node JS tools. However, in this case, this binary has been brought over by the attacker.
Figure 7: https://lolbas-project.github.io/lolbas/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey/
The LOLBIN is used to execute the file LogUpdate.bat originally packed within the password protected archive and dropped by the NSIS installer. The snippet below of the .bat file shows reference to a .t file. Through further obfuscated PowerShell, this .t file is executed.
Figure 8: Beautified code snippet from LogUpdate.bat
The NSIS installer establishes two directories within C:ProgramDataMicrosoft called WindowsUpdater24 and LogUpdateWindows. Analysis has revealed that both directories ultimately contain binaries and files to facilitate Command and Control with the attacker as the final deobfuscated product is identical:
- C:ProgramDataMicrosoftWindowsUpdater24 contains the files to be executed upon initial execution of the NSIS installer
- C:ProgramDataMicrosoftLogUpdateWindows contains the files required to establish persistence by the threat actor.
Figure 9: File structure of C:ProgramDataMicrosoftWindowsUpdate24
This is almost certainly to facilitate a fallback mechanism. If the folder WindowsUpdater24 and its contents are discovered by a security engine or professional, there exists the possibility that the persistence mechanism will remain, and the device will remain infected.
This report will conduct the investigation from the persistence mechanism and the folder C:ProgramDataMicrosoftLogUpdateWindows.
As the investigation followed the execution trial, the next step was to analyse the batch file LogUpdate.bat referenced in the Microsoft.AnyKey.lnk shortcut as part of the persistence mechanism.
Figure 10: LogUpdate.bat contents
This batch file assigns the path C:ProgramDataMicrosoftLogUpdateWindowsWiaphoh7um.t to a variable – which is later executed in the batch file.
The .t file appears to be more PowerShell. Scanning the .t file reveals some characteristics and clues as to its nature.
Figure 11: First snippet of the raw .t file as it appears
Figure 12: Second snippet of the raw.t file as it appears
- Lines 2, 3, and 4 suggests encoding using PowerShell Secure Strings.
- Lines 5, 6, and 7 appear to concatenate strings that reference Dynamically Linked Libraries (DLL).
- Line 8 appears to build a string for a web address.
- Line 9 appears to process a string and compile C# source code. This suggests the string on Line 3 is source code.
- Line 10 appears to execute some jargon class and function names which are almost certainly objects compiled from the C# source code.
Tidying up the .t file helps to understand its purpose. It is a PowerShell script that compiles C# code and loads the compiled binary into memory – a form of fileless malware. Once the malware is loaded into memory, functions are called within the malware. The first parameter passed to the HPlu function is a web address for Cloudflare’s Serverless Architecture.
Figure 13: Tidied up version of the .t file
This address will likely be Hunters International’s Command-and-Control (C2) infrastructure. This will need to be confirmed before responding to the incident investigation explaining how the device was compromised.
To accomplish this, the .t file was modified to write out the source code to a file rather than compiling and executing.
Figure 14: Modified .t file to write C# source code to a file
The next step of the investigation is directed towards the extracted C# source code written out by the modified .t file. As expected, the C# source code is highly obfuscated with jargon variable names, functions and classes. While having the source code is a luxury, deobfuscating code is a time-consuming operation not appropriate for an incident response setting.
Loading the source code into an integrated development environment (IDE) is an excellent time-saver as it highlights code not utilised and facilities useful features like symbol renaming.
Figure 15: Snippet of the C# source code in an IDE. Highlighted by the squares are the objects referenced by the .t file
Highlighted by Figure 15 are the objects referenced by the .t file.
To direct the analysis efforts on the C# source code and guide the deobfuscation efforts, the .t files were executed. However, rather than attempting to communicate with the attacker’s server, instead we shall communicate with a server under our control.
Figure 16: Modified .t file so that communication is directed towards a server under our control
By establishing communication with the malware, we can observe the kind of communication expected between the malware and the attacker’s infrastructure.
Upon execution, the malware is sending a HTTP POST request with JSON request data. The Data field in the JSON object appears to contain base64 encoded data based on the characters present – however, attempting to decode with base64 returns jargon data suggesting it is likely encrypted. The goal of the analysis against the C# source code is to understand and perhaps remove the encryption.
Figure 17: Communication between the unmodified malware and our server
The C# code below presents all the hallmarks of an encryption routine. It accepts byte objects, consists of for loops with one loop containing XOR operations. We have assessed that this function is very likely responsible for encryption, and as such, the function was renamed to resemble its functionality.
Figure 18: Assessed encryption routine within the C# source code
This assessed encryption routine is referenced only once within the code in the function below. This function was renamed to encryptionWrapper to best describe its functionality.
Figure 19: Error handling function for the assessed encryption routine
To bypass the encryption, the encryptionWrapper function was modified to return the data passed into it as opposed to calling encryption.
Figure 20: Modified error handling function to simply return the unmodified data
Note that all base64 operations were kept in place and unmodified.
Executing the modified .t file and setting up the listener on our server – without the encryption in place, we can see exactly the kind of information sent to the attacker’s server.
Figure 21: Communication between our controlled server and the encryption free malware
Notably, the information includes the string register. This is almost certainly a command to register the implant with the attacker’s C2 infrastructure. Secondly, there is a jargon string. The purpose of this string is not entirely clear and may require examining code on the attacker’s end to fully understand its purpose but it could either be a unique identifier for decryption or just authentication. Note this string is also in the ID field of the JSON object. Finally, the register command includes with it the device name and username.
Now that we understand the malware’s language, our investigation’s goal was to establish full communication to fully understand its potential. To aid in this, the C# source code was deobfuscated further, revealing the malware is configured to respond to two hard-coded commands, delay and exit.
Figure 22: Code within the malware designed to handle specific commands.
The delay command will reconfigure the timer before the malware makes another POST request to retrieve the next command, whereas the exit command will simply terminate the loop responsible for sending the POST requests. This exercise also revealed the purpose of the “95000” value passed to the function that started the malware. This value is the interval between each POST request. This was discovered by setting the value to 0 and bricking our server as it was flooded with POST requests. Sending a delay command will overwrite this value.
There is a final branch in the if statement displayed in Figure 22. This branch spawns a thread, so this is where the investigation went.
Figure 23: The C# function responsible for executing PowerShell commands
Inspecting this function reveals it uses something called a Runspace. A google search on this class shows it is part of the PowerShell SDK (Software Development Kit). Therefore, we can make the educated guess that the function we have called injectCommand will execute PowerShell.
We have enough to build a response to send back to the malware now.
To effectively communicate with the malware, a very rudimentary C2 server was built. It won’t handle multiple implants or provide management features – however, it will send any response we hardcode. As a proof-of-concept, we attempted to launch the calculator application present on virtually all modern Windows systems.
Figure 24: Listener established with our customer C2 server
Launching the malware sends the register command to our server. Sixty seconds later, another HTTP POST request is sent expecting to receive a command. It receives our Start-Process calc.exe command and we are greeted with the calculator application on our infected lab.
Figure 25: The calculator application spawned by the malware
As a result of our thorough analysis, we can say with 100% confidence how SharpRhino operates. From the user clicking the original installer to communication with the attacker’s infrastructure and ultimately how initial access was achieved. SharpRhino provided enough granular control to launch a sophisticated ransomware attack.
Defence-evasion
ID | Technique | Observed Details |
T1497.001 | Virtualization/Sandbox Evasion: System Checks | ipscan-3.9.1-setup.exe called GetDiskFreeSpaceExW |
T1134 | Access Token Manipulation | 7za.exe sets privilege: SeRestorePrivilege |
7za.exe sets privilege: SeCreateSymbolicLinkPrivilege | ||
7za.exe sets privilege: SeSecurityPrivilege | ||
ip-3.9.1-setup.exe called NtOpenThreadToken | ||
ip-3.9.1-setup.exe called NtOpenProcessToken | ||
T1497.003 | Virtualization/Sandbox Evasion: Time Based Evasion | A thread of ipscan-3.9.1-setup.exe sleeps for 66 seconds |
T1027.002 | Obfuscated Files or Information: Software Packing | ipscan-3.9.1-setup.exe is a NSIS archive |
Shannon entropy of .rsrc section is 6.66 | ||
T1036.001 | Masquerading: Invalid Code Signature | Digital signature of ipscan-3.9.1-setup.exe failed verification |
T1027.004 | Obfuscated Files or Information: Compile After Delivery | csc.exe is called to compile source code from command-line |
T1480 | Execution Guardrails | ipscan-3.9.1-setup.exe called GetUserDefaultLCID |
T1543.003 | Create or Modify System Process: Windows Service | ServicesMSDTCDelayedAutostart is written |
Discovery
ID | Technique | Observed Details |
T1497.001 | Virtualization/Sandbox Evasion: System Checks | ipscan-3.9.1-setup.exe called GetDiskFreeSpaceExW |
T1135 | Network Share Discovery | ipscan-3.9.1-setup.exe called NetShareEnum |
T1497.003 | Virtualization/Sandbox Evasion: Time Based Evasion | A thread of ipscan-3.9.1-setup.exe sleeps for 66 seconds |
Privilege-escalation
ID | Technique | Observed Details |
T1134 | Access Token Manipulation | 7za.exe sets privilege: SeRestorePrivilege |
7za.exe sets privilege: SeCreateSymbolicLinkPrivilege | ||
7za.exe sets privilege: SeSecurityPrivilege | ||
ip-3.9.1-setup.exe called NtOpenThreadToken | ||
ip-3.9.1-setup.exe called NtOpenProcessToken | ||
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | RunUpdateWindowsKey registry is written |
T1543.003 | Create or Modify System Process: Windows Service | ServicesMSDTCDelayedAutostart is written |
Execution
ID | Technique | Observed Details |
T1059.003 | Command and Scripting Interpreter: Windows Command Shell | cmd.exe process is launched to execute WindowsUpdate.bat |
T1059.001 | Command and Scripting Interpreter: PowerShell | Attempt of execution in a hidden window |
High entropy of PowerShell (5.248) |
Persistence
ID | Technique | Observed Details |
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | RunUpdateWindowsKey registry is written |
T1543.003 | Create or Modify System Process: Windows Service | ServicesMSDTCDelayedAutostart is written |
Command & Control
ID | Technique | Observed Details |
T1071.001 | Application Layer Protocol: Web Protocols | HTTPS is used to communicate with a C2 server on Cloudflare Workers |
T1573 | Encrypted Channel | HTTPS is used to communicate with a C2 server on Cloudflare Workers |
SharpRhino RAT
Hashes
Value SHA-256 | File |
D2E7729C64C0DAC2309916CE95F6A8253CA7F3C7A2B92B452E7CFB69A601FBF6 | LogUpdate.bat |
3F1443BE65525BD71D13341017E469C3E124E6F06B09AE4DA67FDEAA6B6C381F | Wiaphoh7um.t |
223AA5D93A00B41BF92935B00CB94BB2970C681FC44C9C75F245A236D617D9BB | ipscan-3.9.1-setup.exe |
9A8967E9E5ED4ED99874BFED58DEA8FA7D12C53F7521370B8476D8783EBE5021 | kautix2aeX.t |
B57EC2EA899A92598E8EA492945F8F834DD9911CFF425ABF6D48C660E747D722 | WindowsUpdate.bat |
09B5E780227CAA97A042BE17450EAD0242FD7F58F513158E26678C811D67E264 | ipscan-3.9.1-setup.exe |
Domains
Value | Details |
cdn-server-1[.]xiren77418[.]workers[.]dev | Command & Control |
cdn-server-2[.]wesoc40288[.]workers[.]dev | Command & Control |
Angryipo[.]org | Initial Download Site |
Angryipsca[.]com | Initial Download Site |
Hunters International
Domains
Value | Details |
ec2-3-145-180-193.us-east-2.compute[.]amazonaws[.]com/ | Command & Control |
ec2-3-145-172-86.us-east-2.compute[.]amazonaws[.]com | Command & Control |
Key assessments within this report have been written using the Intelligence Terminology Yardstick. The assessed likelihood of events corresponds with pre-defined language to remove areas of uncertainty when ingesting Quorum Cyber Intelligence reports.
Intelligence Cut-off Date (ICoD): 02/08/2024 12:00 UTC