An activist faction identified as Head Mare has been connected to digital offensives exclusively aimed at institutions situated in Russia and Belarus.
“Head Mare employs more contemporary techniques to gain initial entry,” Kaspersky stated in a recent analysis of the group’s strategies and resources.
“For example, the attackers leveraged the relatively recent CVE-2023-38831 flaw in WinRAR, enabling them to execute unauthorized commands on the system through a specially crafted archive. This tactic assists in more effectively delivering and concealing the malicious payload.”
Head Mare, operational since 2023, is among the activist factions targeting Russian entities within the context of the conflict between Russia and Ukraine that started a year prior.
It also upholds a presence on X, where it has exposed confidential information and internal records from victims. The group’s targets encompass governmental bodies, transportation, energy, manufacturing, and environmental industries.
In contrast to other activist aliases that likely function with the objective of causing “maximum harm” to companies in these two nations, Head Mare also employs encryption on victims’ devices using LockBit for Windows and Babuk for Linux (ESXi), and demands a ransom for decrypting data.
Part of its arsenal includes PhantomDL and PhantomCore, the former being a Go-based backdoor capable of delivering additional payloads and uploading relevant files to a command-and-control (C2) server.
PhantomCore (aka PhantomRAT), precursor to PhantomDL, is a remote access trojan with akin features, allowing for file downloads from the C2 server, uploading of files from a compromised host to the C2 server, and executing commands in the cmd.exe command line interpreter.
“The attackers set up scheduled tasks and registry values named MicrosoftUpdateCore and MicrosoftUpdateCoree to mask their activities as tasks associated with Microsoft software,” according to Kaspersky.
“We also discovered that certain LockBit samples used by the faction had names such as: OneDrive.exe [and] VLC.exe. These samples were stored in the C:ProgramData directory, camouflaging themselves as legitimate OneDrive and VLC applications.”
Both artifacts have been discovered to be disseminated through phishing campaigns in the guise of business documents with double extensions (e.g., решение №201-5_10вэ_001-24 к пив экран-сои-2.pdf.exe or тз на разработку.pdf.exe).
Another crucial element of its offensive toolkit is Sliver, an open-source C2 framework, along with an assortment of various publicly accessible tools like rsockstun, ngrok, and Mimikatz that aid in reconnaissance, lateral movement, and credential acquisition.
The assaults culminate in the deployment of either LockBit or Babuk depending on the target environment, followed by the dropping of a ransom note demanding payment in exchange for a decryptor to unlock the files.
“The strategies, methods, processes, and tools employed by the Head Mare faction closely resemble those of other groups associated with clusters targeting organizations in Russia and Belarus within the context of the Russo-Ukrainian conflict,” as stated by the Russian cybersecurity provider.
“Nonetheless, the faction stands out by utilizing bespoke malware like PhantomDL and PhantomCore, in addition to exploiting a relatively recent vulnerability, CVE-2023-38831, to breach the infrastructure of their target victims through phishing campaigns.”
About Author
