Hunters International – A New Old Ransomware

This is not the first time we have been able to detect new strains taking all or part of the code from other existing threats.
Like Lockbit green (with Conti) or Underground (with Industrial Spy), it would now be Hunters International’s turn to deploy a “new” ransomware.

Thus, we present an analysis structured around 3 recent samples: a Windows PE binary, whose distribution began in mid-October 2023, as well as 2 Linux ELF binaries, distributed more recently in mid-November 2023.

At the time of analysis on these samples, antiviral analysis modules have extremely low detection rates. Yara-based modules, meanwhile, are blind

We were able to submit our strains to our analysis platform which was immediately able to identify the malicious nature through functions common with samples from the Hive family.

Windows PE Sample

Linux ELF Samples

Dataset Analysis

To further identify the family, we retrieved 2 other ELF samples dating from September 2023 and identified as belonging to the Hive family. We integrated them into a small dataset that we compared against our 2 recent Hunters strains

The rapid characterization provided by our Deep Engine speaks for itself. We are dealing with samples containing many malicious functions similar to Hive family references.

To extract additional information, we proceeded with detonation since at the time of analysis, dynamic engines were unable to execute the 3 files. They likely carry sandbox evasion mechanisms.

Regardless of the version among our 3 binaries, using the -c argument is mandatory as it allows the ransomware to customize the ransom note.

Windows PE Sample

Here is an excerpt from the execution logs:

We can observe that this malware performs reconnaissance of available file points ( got dir, found ).
Additionally, it seems to integrate a common mechanism for sorting files or folders not to encrypt ( skipped, reserve dir ). This is probably to only encrypt files of interest (documents, etc.).

It should be noted that the ransom note is titled Contact Us.txt and encrypted files take the extension .locked.

Linux ELF Samples

As with the Windows version, the -c argument must be used for this malware to execute.

Adding a wrapper in the detonation environment on the vim-cmd command allows us to observe that this binary calls the vim-cmd vmsvc/getallvms command which serves to list virtual machines present on the system.
This information confirms, along with the Stopping VMs message, that this version indeed targets VMware ESXi environments.

Ransom Note

The detonation process allows us to extract the ransom letter referencing the “new” Hunters International group.
The ransom note is the same for both PE and ELF ESXi versions, modulo the -c parameter arguments obviously.

At the time of writing this article, the Hunters International group appears active given the accessibility of their portal.

Furthermore, they indicate they are not former Hive members but have indeed purchased the source code of this malware. What is certain is that the modifications they made to the source code (apparently to fix bugs…) allow them to avoid detection by the vast majority of antivirus solutions on the market! Detection through our AI algorithm’s Concept Code analysis, which is tolerant to modifications, leaves no doubt: the link between Hunters International and Hive is obvious, and it allows us “0-day” detection of this new attacker group!

It seems that the dismantling of Hive’s infrastructure does not prevent the distribution of malware based on its source code.

The results of our analyses lead us to believe that the binaries are indeed a new ransomware, due to the group implementing it, but that it is effectively based on part of the Hive source code.

The Hive ransomware was also known for having evolved significantly over time (up to v6!) offering variants addressing different types of platforms. The use of languages like Go or Rust should, unfortunately, continue to help rapid proliferation.

Observables

References of Analyzed Files

Questions about these updates or our solutions? Don’t hesitate to contact our team: cti@glimps.re