Tuesday, November 5, 2024
HomeCVE/vulnerabilityHead Mare Hacktivist Group Exploit WinRAR Vulnerability To Encrypt Windows And Linux

Head Mare Hacktivist Group Exploit WinRAR Vulnerability To Encrypt Windows And Linux

Published on

Malware protection

Head Mare, a Russian-focused hacktivist group, gained notoriety in 2023 by targeting organizations in Russia and Belarus as they employ phishing tactics to distribute WinRAR archives exploiting the CVE-2023-38831 vulnerability, gaining initial access to victims’ systems. 

Once inside, they steal sensitive data and encrypt devices using LockBit and Babuk ransomware, whose toolset and tactics align with those of other groups attacking Russian entities, suggesting potential connections or shared resources.

Head Mare post on X

The Head Mare hacktivist group, targeting Russian and Belarusian organizations, uses sophisticated techniques for initial access and persistence by leveraging the CVE-2023-38831 vulnerability in WinRAR to distribute malicious PhantomDL and PhantomCore payloads. 

- Advertisement - SIEM as a Service

These malware samples establish communication with attackers’ command and control servers, identify the infected domain, and persist in the system using registry keys and scheduled tasks.

The group’s ultimate goal is to cause maximum damage to Russian and Belarusian companies while also demanding a ransom for data decryption.

PhantomCore C2 connection

The attackers employed various tactics to evade detection, including disguising their tools as legitimate software, using obfuscation techniques, and leveraging open-source frameworks like Sliver by using tools such as rsockstun and ngrok to pivot through compromised systems and gain access to private network segments. 

Additionally, they employed phishing campaigns with double-extension files to lure victims into executing malicious payloads, which allowed the attackers to maintain persistent access to victim networks and execute their malicious activities undetected.

Contents of one of the C2 server directories

They initially compromised a network node and used various techniques to gather system information and credentials by employing the Mimikatz tool and XenAllPasswordPro to harvest credentials from the compromised system. 

Subsequently, the attackers deployed two ransomware variants, LockBit and Babuk, to encrypt files on the network, where LockBit, distributed under various names, sequentially encrypted files using LockbitLite and LockbitHard. 

While Babuk, designed for ESXi, leveraged standard encryption algorithms and destroyed running virtual machines, where both ransomware variants left ransom notes demanding payment for decryption.

Babuk sample ransom note

The Kaspersky Threat Intelligence report reveals that the Head Mare malware group primarily targets victims in Russia and Belarus.

The PhantomDL and PhantomCore samples, key components of their toolkit, have been analyzed and compared to similar malware. 

The report also identifies similarities between Head Mare’s tools and the LockBit ransomware, suggesting potential connections or shared techniques. 

Information about the PhantomDL sample from TIP

By analyzing these similarities, cybersecurity researchers can gain valuable insights into Head Mare’s operations and develop strategies to mitigate their attacks.

The Head Mare group, a threat actor associated with clusters targeting Russian and Belarusian organizations, employs tactics, methods, procedures, and tools similar to other groups within the same context. 

While they distinguish themselves by using custom-made malware, such as PhantomDL and PhantomCore, and exploiting a newly discovered vulnerability, CVE-2023-38831, in phishing campaigns to infiltrate victim infrastructure. 

Head Mare: adventures of a unicorn in Russia and Belarus

Download FreeIncident Response Plan Templatefor Your Security Team – Free Download

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actor IntelBroker Claims Leak of Nokia’s Source Code

The threat actor known as IntelBroker, in collaboration with EnergyWeaponUser, has claimed responsibility for...

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor IntelBroker Claims Leak of Nokia’s Source Code

The threat actor known as IntelBroker, in collaboration with EnergyWeaponUser, has claimed responsibility for...

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...