A hacktivist collective identified as Head Mare has emerged as a notable threat actor, launching targeted cyber attacks against organizations in Russia and Belarus. According to Kaspersky’s analysis released earlier this week, Head Mare employs sophisticated techniques to gain initial access to their targets, distinguishing themselves from other groups in the same domain.
Recent intelligence indicates that the group has exploited the CVE-2023-38831 vulnerability in WinRAR. This flaw allows attackers to execute arbitrary code via maliciously crafted archives, facilitating the execution of their payloads while evading detection. This marks a shift towards more advanced exploitation methods in their operations, enhancing their capacity to stealthily infiltrate target systems.
Active since 2023, Head Mare has positioned itself within the ongoing Russo-Ukrainian conflict by conducting operations that disrupt various sectors, including government, transportation, energy, and manufacturing. The group also maintains a presence on X, where it has leaked sensitive data and internal documents from its victims, underscoring its aggressive tactics and propaganda efforts.
Unlike other hacktivist organizations that aim for maximum disruption, Head Mare has employed ransomware strategies as part of their operations. They utilize tools such as LockBit for Windows and Babuk for Linux systems, encrypting victims’ files and demanding ransoms for decryption. This dual approach showcases their intent to not only disrupt but also financially exploit their targets.
The group has integrated a variety of malware into its attack arsenal, most notably PhantomDL and PhantomCore. PhantomDL is a Go-based backdoor capable of deploying additional payloads and exfiltrating data to command-and-control servers, while PhantomCore is a remote access trojan with capabilities for file manipulation and command execution on compromised systems. These tools align with the MITRE ATT&CK tactics of initial access and persistence, highlighting their strategic intent in the cyber landscape.
To obscure their activities, attackers have been known to create scheduled tasks and register values under names that mimic Microsoft software, like MicrosoftUpdateCore. This technique serves to mask malicious operations, leveraging legitimate software structures to blend in. Specific variants of LockBit utilized by the group have been disguised as everyday applications, further complicating detection efforts.
The group’s operations predominantly rely on phishing campaigns, disseminating their malware through seemingly innocuous business documents featuring deceptive double extensions. This tactic not only facilitates the initial compromise but also emphasizes the need for vigilance in email communications, especially those involving unexpected or unusual attachments.
Aside from their custom malware, Head Mare also employs Sliver, an open-source command-and-control framework, along with widely available tools such as ngrok and Mimikatz. These resources enhance their discovery, lateral movement, and credential harvesting capabilities, characteristic of adversary strategies under the MITRE ATT&CK framework.
The culmination of Head Mare’s operations often results in the deployment of LockBit or Babuk ransomware, with subsequent ransom demands for decryption capabilities. As this group continues to evolve its methodologies, their distinct use of custom malware and exploitation of recent vulnerabilities positions them as a formidable threat in the ongoing cyber hostilities linked to the Russo-Ukrainian conflict.
This activity highlights a critical need for businesses and organizations, particularly those in vulnerable sectors, to fortify their cybersecurity measures against emerging threats. Increased awareness, employee training on phishing, and robust incident response plans are essential in mitigating risks posed by such sophisticated adversaries.
Source Link : https://thehackernews.com/2024/09/hacktivists-exploits-winrar.html
