A hacktivist group generally known as Head Mare has been linked to cyber assaults that solely goal organizations positioned in Russia and Belarus.
“Head Mare uses more up-to-date methods for obtaining initial access,” Kaspersky stated in a Monday evaluation of the group’s ways and instruments.
“For instance, the attackers took advantage of the relatively recent CVE-2023-38831 vulnerability in WinRAR, which allows the attacker to execute arbitrary code on the system via a specially prepared archive. This approach allows the group to deliver and disguise the malicious payload more effectively.”
Head Mare, lively since 2023, is among the hacktivist teams attacking Russian organizations within the context of the Russo-Ukrainian battle that started a 12 months earlier than.
It additionally maintains a presence on X, the place it has leaked delicate info and inner documentation from victims. Targets of the group’s assaults embody governments, transportation, power, manufacturing, and setting sectors.
In contrast to different hacktivist personas that doubtless function with an goal to inflict “maximum damage” to firms within the two nations, Head Mare additionally encrypts victims’ units utilizing LockBit for Home windows and Babuk for Linux (ESXi), and calls for a ransom for knowledge decryption.
Additionally a part of its toolkit are PhantomDL and PhantomCore, the previous of which is a Go-based backdoor that is able to delivering further payloads and importing recordsdata of curiosity to a command-and-control (C2) server.
PhantomCore (aka PhantomRAT), a predecessor to PhantomDL, is a distant entry trojan with comparable options, permitting for downloading recordsdata from the C2 server, importing recordsdata from a compromised host to the C2 server, in addition to executing instructions within the cmd.exe command line interpreter.
“The attackers create scheduled tasks and registry values named MicrosoftUpdateCore and MicrosoftUpdateCoree to disguise their activity as tasks related to Microsoft software,” Kaspersky stated.
“We also found that some LockBit samples used by the group had the following names: OneDrive.exe [and] VLC.exe. These samples were located in the C:ProgramData directory, disguising themselves as legitimate OneDrive and VLC applications.”
Each the artifacts have been discovered to be distributed by way of phishing campaigns within the type of enterprise paperwork with double extensions (e.g., решение №201-5_10вэ_001-24 к пив экран-сои-2.pdf.exe or тз на разработку.pdf.exe).
One other essential element of its assault arsenal is Sliver, an open-source C2 framework, and a group of varied publicly obtainable instruments equivalent to rsockstun, ngrok, and Mimikatz that facilitate discovery, lateral motion, and credential harvesting.
The intrusions culminate within the deployment of both LockBit or Babuk relying on the goal setting, adopted by dropping a ransom be aware that calls for a fee in trade for a decryptor to unlock the recordsdata.
“The tactics, methods, procedures, and tools used by the Head Mare group are generally similar to those of other groups associated with clusters targeting organizations in Russia and Belarus within the context of the Russo-Ukrainian conflict,” the Russian cybersecurity vendor stated.
“However, the group distinguishes itself by using custom-made malware such as PhantomDL and PhantomCore, as well as exploiting a relatively new vulnerability, CVE-2023-38831, to infiltrate the infrastructure of their victims in phishing campaigns.”