Tuesday, March 18, 2025
Malware

Why SharpRhino Malware is Leaving Victims Thunderstruck

by CybrGPT
0 comment

A new Remote Access Trojan (RAT) has emerged, putting cybersecurity professionals and global organizations on heightened alert. SharpRhino is a recent addition to the malware arsenal of the cyberthreat group Hunters International that was first identified in August 2024.

This sophisticated malware leverages the open-source project ThunderShell, a powerful remote access tool that has been repurposed for malicious intent.

The malicious repurposing of ThunderShell has been a known risk for a few years, but what is old can be new again. SharpRhino adds new layers of obfuscation and persistance that should keep managed service providers (MSPs) and IT teams on their toes.

The Acronis Threat Research Unit has provided a comprehensive analysis of SharpRhino and its use of ThunderShell, shedding light on its technical intricacies, persistence mechanisms and communication protocols, which we will link to at the end of this article.

Initial Infection Vectors

SharpRhino’s initial infection vector is deceptively simple yet highly effective. The malware is delivered to victims disguised as a legitimate software installer, specifically the Angry IP Scanner utility. This utility is a well-known and widely used tool for network scanning, making it an ideal cover for the malware.

The installer appears to be a legitimate application, complete with a valid digital certificate, which can easily lull users into a false sense of security.

During the installation process, the malware extracts and executes malicious PowerShell scripts and other files from a password-protected archive. The installer maintains a facade of normalcy, distracting the user while the malicious files are being deployed in the background.

Malicious Activities and Persistence

Once installed, SharpRhino begins its malicious activities by creating a new folder and copying files to it. Specifically, it creates the folder — ‘C:\ProgramData\Microsoft\LogUpdateWindows’ — and copies the extracted files from the password-protected archive to this location. This step allows the malware to maintain persistence on the victim’s machine.

SharpRhino adds a new registry key to — ‘HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run’ — that points to the ‘Microsoft.AnyKey.exe’ file. This persistence mechanism ensures that the malware remains active and can continue its operations every time the system is restarted.

Communication with the C2 Server

SharpRhino’s communication with its Command and Control (C2) server is both sophisticated and stealthy. The malware sends encrypted data using the RC4 cipher and encodes it in Base64 format.

This encryption and encoding process makes it difficult for network security tools to detect and analyze the traffic. The network traffic includes commands and responses that are encrypted and encoded before being transmitted, allowing the threat actors to maintain control over the infected system and execute remote commands.

Technical Analysis and Findings

The analysis of SharpRhino highlights SharpRhino’s sophistication. The malware drops and executes malicious PowerShell scripts, which in turn load and execute encoded .NET assemblies in memory. These assemblies are responsible for establishing communication with the C2 server and executing remote commands.

The use of compromising open-source projects for malicious purposes underscores the ongoing challenge of securing software ecosystems and the importance of continuous threat monitoring and risk abatement.

Popular open-source tools, utilities and libraries become prime targets for cybercriminals because they are more likely to not be seen as threats. This applies to tools, utilities and libraries across the entire digital supply chain.

Implications of SharpRhino’s Threat

The emergence of SharpRhino serves as a sharp reminder of the evolving nature of cyberthreats. The threat group Hunters International has demonstrated a high level of sophistication in their use of legitimate software installers and open-source projects to deliver and execute malware. The Acronis Threat Research Unit’s findings highlight the importance of security best practices, including:

  • User education / security awareness training (SAT)
  • Robust security measures, including active detection and response
  • Awareness of emerging and evolving threats

By understanding the techniques and methods used by SharpRhino, cybersecurity professionals can better protect their systems and networks from this and similar threats.

Acronis Threat Research Unit’s detailed analysis of SharpRhino provides a comprehensive understanding of this new threat. For a deep dive into the methodology and code in this attack, you can access the technical write up here.

For more information on the Acronis Threat Research Unit or to follow the latest alerts and updates, access the research blog here.

Source link

You Might Be Interested In

You may also like

PyPI Revival Hijack Puts Thousands of Applications at Risk

Researchers Confirm BlackLock as Eldorado Rebrand

Spyware Vendors’ Nebulous Ecosystem Helps Them Evade Sanctions

DDoS Attacks Double With Governments Most Targeted

China-Linked Threat Actors Target Taiwan Military Industry

Highline Public Schools Forced to Close By Cyber-Attack

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

Stay informed with the latest in cybersecurity news. Explore updates on malware, ransomware, data breaches, and online threats. Your trusted source for digital safety and cyber defense insights.

Facebook Twitter Instagram
BuyBitcoinFiveMinute

Subscribe my Newsletter for new blog posts, tips & new photos. Let’s stay updated!

© 2025 cybrgpt.com – All rights reserved.

@2025 - All Right Reserved.
View Cart Checkout Continue Shopping
Close