The Hunters International threat group impersonates legitimate IP and port scanning programs to install malware to obtain IT workers’ initial access to systems. The Hunters International ransomware group first appeared in October 2023. The group is associated with the Hive ransomware group, which was shut down by a law enforcement operation in January 2023. Although security researchers have mentioned Hunters International was Hive rebranded because of a 60% code overlap, the group says it bought the Hive code and that it is a different group.
Though Hunter’s International is not the most famous ransomware group, it has performed over 130 attacks to date this 2024. As suggested by the group’s name, attacks are carried out globally. The threat actor claims to have victims in about 30 nations around the world. The group mainly hunts for information, which is extracted from victims’ systems, and encrypts files. It threatens the victims to expose the stolen information when no ransom is paid.
Hunters International puts the healthcare and public health (HPH) sector at risk. It has already performed many attacks on U.S. healthcare companies such as Arisa Health, Northeast Rehabilitation Hospital Network, Covenant Care, Integris Health, Fred Hutchison Cancer Center, Crystal Lake Health Centers, Betances Health Center, BeneCare Dental Insurance, and Therapeutic Health Services. This makes HIPAA compliance for healthcare companies more important than ever.
The group’s tactics, techniques, and procedures (TTPs) are continually changing. The group is deemed to have acquired initial access through social engineering, phishing emails, Remote Desktop Protocol (RDP), and supply chain attacks. The Quorum Cyber security researchers have identified a new way of acquiring initial access today. After investigating a recent ransomware attack, the researchers discovered a new variant of malware that is not linked to any other ransomware group. The malware code is written in C# and is called SharpRhino. It is a Remote Access Trojan that gives the group initial access to victims’ systems.
Hunters International is focusing on IT employees because their accounts are probable to have more privileges. The malware is sent through a typosquatting domain that impersonates an Angry IP Scanner, an IP address and a port scanning program. When the malware is implemented, it secures persistence by changing the registry and providing the attackers remote access to the system.
The file acquired from the typosquatting domain is called ipscan-3.9.1-setup.exe. It is a 32-bit Portable Executable (PE) Nullsoft installer having an archive with self-extracting password-protection. The installer comes with a LogUpdate.bat file which works on PowerShell scripts to compile C# into memory to execute the malware. The malware can execute PowerShell commands on the compromised device and is employed to provide the ransomware payload.