Ransomware/Malware Activity
Hunters International Ransomware Group Targets IT Professionals with SharpRhino RAT
Researchers at Quorum Cyber have recently published a post regarding a new Remote Access Tool (RAT) linked to ransomware gang Hunters International. Hunters International has been active since October 2023 and is believed to be an offshoot of the Russian-based Hive ransomware group based on similarities in ransomware source code. Hunters International has announced 134 ransomware attacks already this year and is becoming one of the most active ransomware groups of 2024. Researchers at Quorum Cyber report that the SharpRhino malware is disseminated by a typosquatting site which mimics the website for a well-known networking tool Angry IP Scanner. Hunters International is spreading their initial access malware by mimicking well-known networking tools in the hopes of compromising IT workers at organizations who tend to have elevated privileges. The SharpRhino RAT infection begins with an installer named “ipscan-3.9.1-setup.exe” which modifies the Windows registry for persistence and establishes two directories containing binaries facilitating command and control. Two commands are hard coded into the malware to set the timer of the next POST request to retrieve commands from the attacker, and the other to terminate communication. The RAT allows attackers to execute PowerShell on the host, which can be used to launch ransomware. CTIX analysts recommend that individuals remain vigilant in ensuring that they are visiting a trusted website prior to downloading executables from the internet. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
BlackSuit Ransomware Improves Capabilities: Ransom Demands Reach $500 Million in Last Year
The BlackSuit ransomware, formerly known as Royal ransomware, has emerged as a significant cyber threat since its inception. Initially identified as Quantum ransomware in January 2022, the group rebranded to Royal in September 2022. Following a high-profile attack on the City of Dallas in June 2023, the group transitioned to the BlackSuit moniker, ceasing Royal-branded operations entirely. Since rebranding, BlackSuit has demanded over $500 million in ransoms, with individual demands reaching up to $60 million. The group has targeted over 350 organizations since September 2022, including critical infrastructure sectors such as healthcare, government facilities, and manufacturing. Their ransom demands typically range from $1 million to $10 million, payable in Bitcoin. The ransomware gang employs various infection vectors, including phishing emails, Remote Desktop Protocol (RDP), and exploitation of vulnerable internet-facing applications, often purchasing access through initial access brokers (IABs). BlackSuit operations involve sophisticated techniques to gain initial access, disable antivirus software, and exfiltrate sensitive data before deploying ransomware. They utilize legitimate remote monitoring and management (RMM) software, tools like SystemBC and GootLoader, and credential-stealing utilities such as Mimikatz and Nirsoft's password harvesting tools. The ransomware's capabilities include enumerating victim networks, killing system processes, and maintaining persistence through tools like SharpShares and SoftPerfect NetWorx. The FBI and CISA have been actively tracking and updating advisories on BlackSuit, providing technical data and indicators of compromise (IOCs) to help defenders detect and mitigate the group's activities. The latest advisory includes insights from incidents as recent as July 2024, highlighting the group's use of telephonic and email communications to pressure victims into paying ransoms. The group's aggressive methods, including assessing stolen data for regulatory non-compliance and threatening to expose sensitive information, reflect another growing trend of ransomware gangs leveraging reputational damage as a coercive tactic. As ransomware tactics continue to evolve, comprehensive cybersecurity strategies and proactive threat intelligence sharing remain essential in defending against these pervasive threats. CTIX analysts will continue to share the most recent developments among threat actor activities to help combat the threats that come with an ever-changing cyber landscape.
- Bleeping Computer: BlackSuit Article
- The Hacker News: BlackSuit Article
- The Record: BlackSuit Article
- CISA: Updated BlackSuit Advisory
Vulnerabilities
Critical Vulnerability in Progress WhatsUp Under Active Exploitation
A critical security flaw in Progress Software's WhatsUp Gold, a network monitoring application, is being actively exploited by threat actors. The flaw, tracked as CVE-2024-4885 (CVSS score of 9.8/10) is an unauthenticated remote code execution vulnerability that affects versions 23.1.2 and older, allowing attackers to execute commands with elevated privileges due to inadequate validation in the “GetFileWithoutZip” method. Discovered by security researcher Sina Kheirkhah, the flaw's proof-of-concept (PoC) exploit targets the '/NmAPI/RecurringReport' endpoint, enabling attackers to execute code in the context of the service account. Exploitation attempts have been observed since August 1, 2024, from multiple IP addresses. Progress Software released a security bulletin on June 25, 2024, addressing this and other critical vulnerabilities (CVE-2024-4883, CVE-2024-4884, and CVE-2024-5009). Administrators are urged to upgrade to version 23.1.3, restrict access to trusted IP addresses, and monitor for suspicious activity to mitigate risks. The vendor also recommends placing WhatsUp Gold behind a firewall and ensuring it is only accessible internally or via trusted IP addresses. CTIX analysts will continue to report on interesting and novel exploits in future issues.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.