Thursday, February 13, 2025
HomeCVE/vulnerabilityHead Mare Hacktivist Group Exploit WinRAR Vulnerability To Encrypt Windows And Linux

Head Mare Hacktivist Group Exploit WinRAR Vulnerability To Encrypt Windows And Linux

Published on

SIEM as a Service

Follow Us on Google News

Head Mare, a Russian-focused hacktivist group, gained notoriety in 2023 by targeting organizations in Russia and Belarus as they employ phishing tactics to distribute WinRAR archives exploiting the CVE-2023-38831 vulnerability, gaining initial access to victims’ systems. 

Once inside, they steal sensitive data and encrypt devices using LockBit and Babuk ransomware, whose toolset and tactics align with those of other groups attacking Russian entities, suggesting potential connections or shared resources.

Head Mare post on X

The Head Mare hacktivist group, targeting Russian and Belarusian organizations, uses sophisticated techniques for initial access and persistence by leveraging the CVE-2023-38831 vulnerability in WinRAR to distribute malicious PhantomDL and PhantomCore payloads. 

These malware samples establish communication with attackers’ command and control servers, identify the infected domain, and persist in the system using registry keys and scheduled tasks.

The group’s ultimate goal is to cause maximum damage to Russian and Belarusian companies while also demanding a ransom for data decryption.

PhantomCore C2 connection

The attackers employed various tactics to evade detection, including disguising their tools as legitimate software, using obfuscation techniques, and leveraging open-source frameworks like Sliver by using tools such as rsockstun and ngrok to pivot through compromised systems and gain access to private network segments. 

Additionally, they employed phishing campaigns with double-extension files to lure victims into executing malicious payloads, which allowed the attackers to maintain persistent access to victim networks and execute their malicious activities undetected.

Contents of one of the C2 server directories

They initially compromised a network node and used various techniques to gather system information and credentials by employing the Mimikatz tool and XenAllPasswordPro to harvest credentials from the compromised system. 

Subsequently, the attackers deployed two ransomware variants, LockBit and Babuk, to encrypt files on the network, where LockBit, distributed under various names, sequentially encrypted files using LockbitLite and LockbitHard. 

While Babuk, designed for ESXi, leveraged standard encryption algorithms and destroyed running virtual machines, where both ransomware variants left ransom notes demanding payment for decryption.

Babuk sample ransom note

The Kaspersky Threat Intelligence report reveals that the Head Mare malware group primarily targets victims in Russia and Belarus.

The PhantomDL and PhantomCore samples, key components of their toolkit, have been analyzed and compared to similar malware. 

The report also identifies similarities between Head Mare’s tools and the LockBit ransomware, suggesting potential connections or shared techniques. 

Information about the PhantomDL sample from TIP

By analyzing these similarities, cybersecurity researchers can gain valuable insights into Head Mare’s operations and develop strategies to mitigate their attacks.

The Head Mare group, a threat actor associated with clusters targeting Russian and Belarusian organizations, employs tactics, methods, procedures, and tools similar to other groups within the same context. 

While they distinguish themselves by using custom-made malware, such as PhantomDL and PhantomCore, and exploiting a newly discovered vulnerability, CVE-2023-38831, in phishing campaigns to infiltrate victim infrastructure. 

Head Mare: adventures of a unicorn in Russia and Belarus

Download FreeIncident Response Plan Templatefor Your Security Team – Free Download

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Global IoT Data Leak Exposes 2.7 Billion Records and Wi-Fi Passwords Worldwide

A massive security lapse has exposed over 2.7 billion records, including sensitive Wi-Fi credentials,...

Palo Alto PAN-OS Zero-Day Flaw Allows Attackers to Bypass Web Interface Authentication

Palo Alto Networks has disclosed a zero-day vulnerability in its PAN-OS software (CVE-2025-0108), allowing...

Enhancing Threat Detection With Improved Metadata & MITRE ATT&CK tags

The cybersecurity landscape continues to evolve rapidly, demanding more sophisticated tools and methodologies to...

Hackers Exploit Ivanti Connect Secure Vulnerability to Inject SPAWNCHIMERA malware

In a concerning development, cybersecurity experts have identified active exploitation of a critical vulnerability...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Global IoT Data Leak Exposes 2.7 Billion Records and Wi-Fi Passwords Worldwide

A massive security lapse has exposed over 2.7 billion records, including sensitive Wi-Fi credentials,...

Palo Alto PAN-OS Zero-Day Flaw Allows Attackers to Bypass Web Interface Authentication

Palo Alto Networks has disclosed a zero-day vulnerability in its PAN-OS software (CVE-2025-0108), allowing...

Enhancing Threat Detection With Improved Metadata & MITRE ATT&CK tags

The cybersecurity landscape continues to evolve rapidly, demanding more sophisticated tools and methodologies to...