A hacktivist group known as Mare’s head was linked to cyber attacks aimed exclusively at organizations located in Russia and Belarus.
“Head Mare uses more advanced methods to gain initial access,” Kaspersky said in an analysis of the group’s tactics and tools on Monday.
“For example, attackers took advantage of a relatively recent one CVE-2023-38831 a vulnerability in WinRAR that allows an attacker to execute arbitrary code on the system via a specially crafted archive. This approach allows the group to more efficiently deliver and mask malicious payloads.”
Head Mare, which has been active since 2023, is one of a group of hackers attacking Russian organizations in the context of the Russian-Ukrainian conflict that began a year ago.
It also supports a presence on Xwhere confidential information and internal documents of the victims were leaked. The group’s attack targets are the government, transportation, energy, manufacturing and environmental sectors.
Unlike other hackers who likely operate to cause “maximum damage” to companies in the two countries, Head Mare also encrypts victims’ devices using LockBit for Windows and Babuk for Linux (ESXi) and demands a ransom to decrypt the data.
They are also part of his toolkit PhantomDL and PhantomCorethe first of which a Go based backdoor which is capable of delivering additional payloads and uploading files of interest to the control server (C2).
PhantomCore (aka PhantomRAT), the predecessor of PhantomDL, is a remote access trojan with similar features that allows you to download files from a C2 server, upload files from a compromised host to a C2 server, and execute commands in the cmd.exe command line interpreter.
“Attackers create scheduled tasks and registry values called MicrosoftUpdateCore and MicrosoftUpdateCoree to disguise their activities as tasks related to Microsoft software,” Kaspersky said.
“We also found that some of the LockBit samples used by the group had the following names: OneDrive.exe (and) VLC.exe. These samples were located in the C:\ProgramData directory, posing as legitimate OneDrive and VLC apps.”
It is established that both artifacts are distributed through phishing campaigns in the form of business documents with double extensions (for example, solution #201-5_10ве_001-24 to PIV Ekran-SOI-2.pdf.exe or tz na razrobtku.pdf.exe ).
Another important component of his arsenal of attack is A scrapthe open source C2 framework and a set of various public tools such as rsockstun, ngrok, and Mimikatz that facilitate discovery, lateral movement, and credential harvesting.
The intrusions are completed by deploying either LockBit or Babuk depending on the target environment, followed by a ransom message demanding payment in exchange for a decryptor to unlock the files.
“The tactics, methods, procedures and tools used by the Head Mare group are broadly similar to those of other cluster-related groups targeting organizations in Russia and Belarus in the context of the Russian-Ukrainian conflict,” the Russian cybersecurity vendor said.
“However, the group is distinguished by its use of specially crafted malware such as PhantomDL and PhantomCore, as well as its use of a relatively new vulnerability, CVE-2023-38831, to penetrate the infrastructure of its victims in phishing campaigns.”
