SharpRhino is a new RAT malware utilized by the Hunters International threat group, delivered as a legitimate software installer. It uses PowerShell scripts to execute encoded .NET assemblies for remote command execution and communicates with a C2 server over encrypted traffic. Affected: Windows
Keypoints :
- SharpRhino is based on the open-source project ThunderShell.
- Delivered as an NSIS installer that masquerades as legitimate software.
- Utilizes PowerShell scripts to execute encoded .NET assemblies.
- Communicates with a C2 server using encrypted network traffic.
- Involves multiple installation folders for persistence.
- Modifies registry to ensure execution at startup.
- Contains obfuscated files that execute malicious commands.
- Maintains functionality for remote command execution.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: The malware communicates with the C2 server using HTTP/S protocols.
- T1059.001 – PowerShell: Utilizes PowerShell scripts to execute commands and load .NET assemblies.
- T1070.001 – Indicator Removal on Host: The malware uses multiple folders to maintain persistence and evade detection.
- T1105 – Ingress Tool Transfer: Transfers malicious files to the victim’s machine during installation.
Indicator of Compromise :
- [file name] ipscan-3.9.1-setup.exe
- [file hash] 09b5e780227caa97a042be17450ead0242fd7f58f513158e26678c811d67e264
- [file name] kautix2aeX.t
- [file hash] 9a8967e9e5ed4ed99874bfed58dea8fa7d12c53f7521370b8476d8783ebe5021
- [file name] LogUpdate.bat
- [file hash] d2e7729c64c0dac2309916ce95f6a8253ca7f3c7a2b92b452e7cfb69a601fbf6
- Check the article for all found IoCs.
Full Research: https://www.acronis.com/en-us/cyber-protection-center/posts/sharprhino-an-old-new-threat/