Sharprhino: An Old, New Threat
Thumbnail
SharpRhino is a new RAT malware utilized by the Hunters International threat group, delivered as a legitimate software installer. It uses PowerShell scripts to execute encoded .NET assemblies for remote command execution and communicates with a C2 server over encrypted traffic. Affected: Windows

Keypoints :

  • SharpRhino is based on the open-source project ThunderShell.
  • Delivered as an NSIS installer that masquerades as legitimate software.
  • Utilizes PowerShell scripts to execute encoded .NET assemblies.
  • Communicates with a C2 server using encrypted network traffic.
  • Involves multiple installation folders for persistence.
  • Modifies registry to ensure execution at startup.
  • Contains obfuscated files that execute malicious commands.
  • Maintains functionality for remote command execution.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: The malware communicates with the C2 server using HTTP/S protocols.
  • T1059.001 – PowerShell: Utilizes PowerShell scripts to execute commands and load .NET assemblies.
  • T1070.001 – Indicator Removal on Host: The malware uses multiple folders to maintain persistence and evade detection.
  • T1105 – Ingress Tool Transfer: Transfers malicious files to the victim’s machine during installation.

Indicator of Compromise :

  • [file name] ipscan-3.9.1-setup.exe
  • [file hash] 09b5e780227caa97a042be17450ead0242fd7f58f513158e26678c811d67e264
  • [file name] kautix2aeX.t
  • [file hash] 9a8967e9e5ed4ed99874bfed58dea8fa7d12c53f7521370b8476d8783ebe5021
  • [file name] LogUpdate.bat
  • [file hash] d2e7729c64c0dac2309916ce95f6a8253ca7f3c7a2b92b452e7cfb69a601fbf6
  • Check the article for all found IoCs.

Full Research: https://www.acronis.com/en-us/cyber-protection-center/posts/sharprhino-an-old-new-threat/