A rebel group called Head Mare has been implicated in cyber assaults specifically directed at entities situated in Russia and Belarus.
Kaspersky mentioned in an analysis published on Monday that “Head Mare adopts more contemporary approaches to gain initial entry into networks.”
“For instance, the threat actors leveraged the relatively recent CVE-2023-38831 vulnerability in WinRAR to run arbitrary code on the system through a specially crafted archive. This tactic enables the group to distribute and camouflage the malicious payload more efficiently.”
Head Mare, operational since 2023, represents one of the activist factions targeting Russian entities amid the Russo-Ukrainian conflict that erupted the year prior.
The group also upholds a presence on X, where it has disclosed confidential data and internal records from victims. The group’s targets range from governmental bodies to transportation, energy, manufacturing, and environmental sectors.
In contrast to other activist identities likely operating with the objective of causing “maximum harm” to organizations in these two countries, Head Mare adopts encryption tactics using LockBit for Windows and Babuk for Linux (ESXi), and demands payment for decrypting data from victims.
Among its arsenal are PhantomDL and PhantomCore. The former is a backdoor written in Go that can deliver additional payloads and upload files of interest to a command-and-control (C2) server.
PhantomCore (also known as PhantomRAT) precedes PhantomDL and is a remote access trojan with similar functionalities, permitting the downloading of files from the C2 server, uploading files from a compromised host to the C2 server, as well as executing commands through the cmd.exe command line interpreter.
“The actors create tasks and registry values named MicrosoftUpdateCore and MicrosoftUpdateCoree to camouflage their operations as tasks related to Microsoft software,” as mentioned by Kaspersky.
“It was also discovered that certain LockBit samples utilized by the group were named as: OneDrive.exe [and] VLC.exe. These samples were found in the C:ProgramData directory, masquerading as legitimate OneDrive and VLC applications.”
Both artifacts have been disseminated via phishing campaigns in the guise of business documents with dual file extensions (e.g., решение №201-5_10вэ_001-24 к пив экран-сои-2.pdf.exe or тз на разработку.pdf.exe).
Another pivotal component of its attack toolkit is Sliver, an open-source C2 framework, along with a compilation of diverse publicly accessible tools like rsockstun, ngrok, and Mimikatz to aid in reconnaissance, lateral movement, and credential acquisition.
The incursions culminate in the deployment of either LockBit or Babuk based on the target scenario, followed by the distribution of a ransom note demanding payment in return for a decryption key to unlock the files.
“The techniques, strategies, procedures, and tools employed by the Head Mare group are predominantly akin to those of other groups linked with clusters targeting entities in Russia and Belarus within the framework of the Russo-Ukrainian conflict,” stated the Russian cybersecurity vendor.
“Nevertheless, the group sets itself apart by utilizing bespoke malware such as PhantomDL and PhantomCore, and taking advantage of a fairly new vulnerability, CVE-2023-38831, to infiltrate the networks of their victims in phishing campaigns.”
About Author
