A hacktivist group known as Head Mare has been associated with cyber attacks specifically targeting organizations in Russia and Belarus.
“Head Mare uses more modern methods for gaining initial access,” Kaspersky stated in a recent analysis of the group’s techniques and tools.
“For example, the attackers exploited the relatively recent CVE-2023-38831 vulnerability in WinRAR, enabling them to execute code on the system through a specially crafted archive. This approach helps the group deliver and conceal the malicious payload more effectively.”
Head Mare, operating since 2023, is one of the hacktivist groups targeting Russian organizations in the context of the Russo-Ukrainian conflict that started a year earlier.
It also has a presence on X, where it has leaked sensitive information and internal documents from victims. The group’s targets include governments, transportation, energy, manufacturing, and environmental sectors.
Unlike other hacktivist groups that may aim to cause “maximum damage” to companies in the two countries, Head Mare also encrypts victims’ devices using LockBit for Windows and Babuk for Linux (ESXi), and demands a ransom for data decryption.
Additionally, the group utilizes PhantomDL and PhantomCore, with the former being a Go-based backdoor capable of delivering additional payloads and uploading files of interest to a command-and-control (C2) server.
PhantomCore (also known as PhantomRAT) is a remote access trojan with similar features, allowing for file downloading, uploading, and command execution.
“The attackers disguise their activity by creating scheduled tasks and registry values with names like MicrosoftUpdateCore and MicrosoftUpdateCoree,” Kaspersky noted.
“We also found that some LockBit samples used by the group were named OneDrive.exe and VLC.exe, located in the C:ProgramData directory to appear as legitimate OneDrive and VLC applications.”
These artifacts are distributed through phishing campaigns in the form of business documents with double file extensions.
Another significant aspect of their attack arsenal is Sliver, an open-source C2 framework, and a collection of publicly available tools for discovery, lateral movement, and credential harvesting.
The attacks involve deploying LockBit or Babuk based on the target environment, followed by a ransom demand for file decryption.
“The tactics, methods, procedures, and tools used by the Head Mare group are similar to other groups targeting organizations in Russia and Belarus in the context of the Russo-Ukrainian conflict,” the Russian cybersecurity vendor stated.
“However, the group differentiates itself by using custom-made malware like PhantomDL and PhantomCore, as well as exploiting a relatively new vulnerability, CVE-2023-38831, in phishing campaigns.”
