A hacktivist workforce referred to as Head Mare has been connected to cyber assaults that completely goal organizations situated in Russia and Belarus.
“Head Mare makes use of extra up-to-date strategies for acquiring preliminary get right of entry to,” Kaspersky mentioned in a Monday research of the gang’s ways and equipment.
“As an example, the attackers took benefit of the reasonably fresh CVE-2023-38831 vulnerability in WinRAR, which permits the attacker to execute arbitrary code at the gadget by way of a specifically ready archive. This manner lets in the gang to ship and conceal the malicious payload extra successfully.”
Head Mare, energetic since 2023, is likely one of the hacktivist teams attacking Russian organizations within the context of the Russo-Ukrainian struggle that started a yr earlier than.
It additionally maintains a presence on X, the place it has leaked delicate knowledge and inner documentation from sufferers. Objectives of the gang’s assaults come with governments, transportation, power, production, and setting sectors.
Not like different hacktivist personas that most probably function with an intention to inflict “most harm” to firms within the two international locations, Head Mare additionally encrypts sufferers’ gadgets the usage of LockBit for Home windows and Babuk for Linux (ESXi), and calls for a ransom for information decryption.
Additionally a part of its toolkit are PhantomDL and PhantomCore, the previous of which is a Move-based backdoor that is able to handing over further payloads and importing information of hobby to a command-and-control (C2) server.
PhantomCore (aka PhantomRAT), a predecessor to PhantomDL, is a far off get right of entry to trojan with an identical options, taking into account downloading information from the C2 server, importing information from a compromised host to the C2 server, in addition to executing instructions within the cmd.exe command line interpreter.
“The attackers create scheduled duties and registry values named MicrosoftUpdateCore and MicrosoftUpdateCoree to conceal their job as duties associated with Microsoft instrument,” Kaspersky mentioned.
“We additionally discovered that some LockBit samples utilized by the gang had the next names: OneDrive.exe [and] VLC.exe. Those samples had been situated within the C:ProgramData listing, disguising themselves as reputable OneDrive and VLC programs.”
Each the artifacts were discovered to be allotted by way of phishing campaigns within the type of industry paperwork with double extensions (e.g., решение №201-5_10вэ_001-24 к пив экран-сои-2.pdf.exe or тз на разработку.pdf.exe).
Any other an important element of its assault arsenal is Sliver, an open-source C2 framework, and a choice of more than a few publicly to be had equipment comparable to rsockstun, ngrok, and Mimikatz that facilitate discovery, lateral motion, and credential harvesting.
The intrusions culminate within the deployment of both LockBit or Babuk relying at the goal setting, adopted by way of losing a ransom word that calls for a fee in change for a decryptor to liberate the information.
“The ways, strategies, procedures, and equipment utilized by the Head Mare workforce are most often very similar to the ones of alternative teams related to clusters concentrated on organizations in Russia and Belarus throughout the context of the Russo-Ukrainian struggle,” the Russian cybersecurity supplier mentioned.
“Alternatively, the gang distinguishes itself by way of the usage of personalized malware comparable to PhantomDL and PhantomCore, in addition to exploiting a reasonably new vulnerability, CVE-2023-38831, to infiltrate the infrastructure in their sufferers in phishing campaigns.”