Two well -known clusters by threats called cadence -headed goals, and twelve, probably united their strength to target Russian formations, new results are revealed.
“The main mare has greatly relied on the twelve -related tools. In addition – Note. “This suggests that potential cooperation and joint companies between two groups.”
Both Head of mare and Twelve Previously, Caspersorski was recorded in September 2024, and the former vulnerability was used in Winrar (CVE-2023-3831) to obtain the initial access and delivery of malicious programs, and in some cases, even families of ransom, such as Lockbit for Windows and Babuk for Linux (ESXI), are in exchange.
On the other hand, twelve is observed that the production of devastating attacks, using various publicly available tools to encrypt these victims and irrevocably destroying them with a glass cleaning infrastructure to prevent restoration efforts.
The latest Casperial analysis shows the use of a chapter of two new tools, including the COBINT, the back used Excobalt and Crypt As a result of the attacks aimed at Russian companies in the past, as well as custom implant by the nickname Phantomjitter, which is installed on servers to perform remote teams.
The deployment of COBINT was also observed in the attacks mounted on twelve, with overlappings, revealed between the hacking of the crews and crystals, which indicates some tactical connection between different groups aimed at Russia.
Other initial access ways that are operated by Head Mare Attack of trusted relationship.
“The attackers used Proxylogon to execute a team to download and launch COBINT on the server,” Kaspersky said, emphasizing the use of an updated resilience mechanism, which evades the planned tasks in favor of creating new privileged local users on a business automation platform server. Then these credentials are used to connect to the server using RDP for transfer and reactive tools.
In addition to assigning the names of harmful useful loads that mimic benign files of the operating system (such as Calc.exe or Winuac.exe), the threat subjects were found that remove traces of their activity, clearing the events and use proxy tools and tunne tools such as Gost and Cloudflar.
Some other utilities are used
- quser.exe, Tasklist.exe and Netstat.exe for system exploration
- FSCAN and Softperfect Network Scanner for Local Network exploration
- Adrecon to collect information from Active Directory
- Mimikatz, secretsdump and
- RDP for lateral motion
- MREMOTENG, SMBEXEC, WMIEXEC, PAEEXEC and PSEXEC for the distance communication
- RCLONE for data transfer
The attacks are completed by the deployment of LockBit 3.0 and Babuk Ransomware on the compromised hosts, after which she threw a note that urges the victims to contact them in the telegram to decipher her files.
“Head Mare actively expands its set of methods and tools,” Kaspersky said. “In recent attacks, they received initial access to the target infrastructure, using not only phishing emails with feats, but also because of compromise contractors. Head Mare works with twelve to start attacks on public and private companies in Russia.”
Development comes as Bi.zone related In December 2024, a phishing campaign in a phishing campaign that supplied a loader that supplied malicious software in December, which delivered a loader that supplied the malicious software in December, which delivered a loader.
According to the Russian company, the Russian company is very reminiscent of another company called Enveloped#sleep The fact that Securonix was recorded in October 2024, as led to the deployment of the back, called Veelschel in penetrations aimed at Cambodia and probably other southeastern Asian countries.
Last month too bi.zone minute Prolonged Cyber -fades put by bloody wolves to deliver Netsupport Rat as part of a company that has broken more than 400 systems in Kazakhstan and Russia, which noted the shift from the transition Strrat.
