Two recognized danger job clusters codenamed Head Mare and Twelve have most probably joined forces to focus on Russian entities, new findings from Kaspersky expose.
“Head Mare relied closely on equipment prior to now related to Twelve. Moreover, Head Mare assaults applied command-and-control (C2) servers completely connected to Twelve prior to those incidents,” the corporate stated. “This implies attainable collaboration and joint campaigns between the 2 teams.”
Each Head Mare and Twelve have been prior to now documented through Kaspersky in September 2024, with the previous leveraging a now-patched vulnerability in WinRAR (CVE-2023-38831) to acquire preliminary get entry to and ship malware and in some instances, even deploy ransomware households like LockBit for Home windows and Babuk for Linux (ESXi) in alternate for a ransom.
Twelve, then again, has been noticed staging harmful assaults, benefiting from more than a few publicly to be had equipment to encrypt sufferers’ information and irrevocably smash their infrastructure with a wiper to forestall restoration efforts.
Kaspersky’s newest research displays Head Mare’s use of 2 new equipment, together with CobInt, a backdoor utilized by ExCobalt and Crypt Ghouls in assaults aimed toward Russian companies previously, in addition to a bespoke implant named PhantomJitter that is put in on servers for faraway command execution.
The deployment of CobInt has additionally been noticed in assaults fastened through Twelve, with overlaps exposed between the hacking staff and Crypt Ghouls, indicating some roughly tactical connection between other teams lately focused on Russia.
Different preliminary get entry to pathways exploited through Head Mare come with the abuse of alternative recognized safety flaws in Microsoft Change Server (e.g., CVE-2021-26855 aka ProxyLogon), in addition to by way of phishing emails bearing rogue attachments and compromising contractors’ networks to infiltrate sufferer infrastructure, one way referred to as the relied on dating assault.
“The attackers used ProxyLogon to execute a command to obtain and release CobInt at the server,” Kaspersky stated, highlighting the usage of an up to date endurance mechanism that eschews scheduled duties in want of making new privileged native customers on a trade automation platform server. Those accounts are then used to hook up with the server by way of RDP to switch and execute equipment interactively.
But even so assigning the malicious payloads names that mimic benign running gadget information (e.g., calc.exe or winuac.exe), the danger actors were discovered to take away strains in their job through clearing tournament logs and use proxy and tunneling equipment like Gost and Cloudflared to hide community site visitors.
One of the crucial different utilities used are
- quser.exe, tasklist.exe, and netstat.exe for gadget reconnaissance
- fscan and SoftPerfect Community Scanner for native community reconnaissance
- ADRecon for accumulating data from Energetic Listing
- Mimikatz, secretsdump, and ProcDump for credential harvesting
- RDP for lateral motion
- mRemoteNG, smbexec, wmiexec, PAExec, and PsExec for faraway host communique
- Rclone for information switch
The assaults culminate with the deployment of LockBit 3.0 and Babuk ransomware on compromised hosts, adopted through losing a word that urges sufferers to touch them on Telegram for decrypting their information.
“Head Mare is actively increasing its set of ways and equipment,” Kaspersky stated. “In contemporary assaults, they received preliminary get entry to to the objective infrastructure through no longer best the usage of phishing emails with exploits but in addition through compromising contractors. Head Mare is operating with Twelve to release assaults on state- and privately-controlled corporations in Russia.”
The advance comes as BI.ZONE connected the North Korea-linked danger actor referred to as ScarCruft (aka APT37, Reaper, Ricochet Chollima, and Squid Werewolf) to a phishing marketing campaign in December 2024 that delivered a malware loader liable for deploying an unknown payload from a faraway server.
The job, the Russian corporate stated, carefully resembles every other marketing campaign dubbed SHROUDED#SLEEP that Securonix documented in October 2024 as resulting in the deployment of a backdoor known as VeilShell in intrusions focused on Cambodia and most probably different Southeast Asian nations.
Final month, BI.ZONE additionally detailed persisted cyber assaults staged through Bloody Wolf to ship NetSupport RAT as a part of a marketing campaign that has compromised greater than 400 techniques in Kazakhstan and Russia, marking a shift from STRRAT.