Head Mare Hacktivist Group Targets Russia and Belarus Using WinRAR Vulnerability

September 3, 2024

A group of hacktivists, known as Head Mare, has been conducting cyberattacks against organizations in Russia and Belarus. The group leverages an up-to-date exploit, specifically the CVE-2023-38831 vulnerability in WinRAR, which allows them to execute arbitrary code on the system through a specially prepared archive. This technique enables a more effective delivery and disguise of the malicious payload.

Head Mare has been active since 2023 and is among the hacktivist groups targeting Russian organizations amidst the ongoing Russo-Ukrainian conflict. The group has a presence on X, where it has disclosed sensitive information and internal documentation from its victims. The targets of their attacks span across various sectors, including government, transportation, energy, manufacturing, and environment.

Unlike other hacktivist groups aiming to cause 'maximum damage' to companies in Russia and Belarus, Head Mare also uses ransomware like LockBit for Windows and Babuk for Linux (ESXi), to encrypt victims' devices and demand a ransom for data decryption. The group's toolkit includes PhantomDL and PhantomCore; the former is a Go-based backdoor capable of delivering additional payloads and uploading files of interest to a command-and-control (C2) server. PhantomCore (aka PhantomRAT), a predecessor to PhantomDL, is a remote access trojan with similar features.

The group uses deceptive tactics, creating scheduled tasks and registry values named MicrosoftUpdateCore and MicrosoftUpdateCoree to mask their activities as Microsoft-related tasks. Some LockBit samples used by the group were named OneDrive.exe and VLC.exe, found in the C:ProgramData directory, disguising themselves as legitimate OneDrive and VLC applications. These artifacts were distributed via phishing campaigns using business documents with double extensions.

The group also utilizes Sliver, an open-source C2 framework, and a collection of various publicly available tools like rsockstun, ngrok, and Mimikatz to facilitate discovery, lateral movement, and credential harvesting. The intrusions typically end with the deployment of either LockBit or Babuk, depending on the target environment, followed by a ransom note demanding payment for a decryptor to unlock the files.

The strategies, methods, procedures, and tools employed by the Head Mare group are generally similar to those of other groups associated with clusters targeting organizations in Russia and Belarus within the context of the Russo-Ukrainian conflict. However, the group distinguishes itself by using custom-made malware such as PhantomDL and PhantomCore, and by exploiting a relatively new vulnerability, CVE-2023-38831, to infiltrate their victims' infrastructure in phishing campaigns.

Related News

• Global Cybersecurity Agencies Issue Joint Advisory on China-affiliated APT40's Quick Exploit Adaptation
• FlyingYeti Uses WinRAR Flaw to Deploy COOKBOX Malware in Ukraine
• Windows Defender Zero-Day Exploited to Deliver DarkMe RAT: Microsoft Issues Patch
• Bumblebee Malware Resurfaces after Four Months, Targets US Organizations
• Russian APT28 Hackers Launch NTLM Relay Attacks on High-Value Global Targets

Latest News

• Zyxel Issues Warning About Critical Vulnerability in Business Routers
• North Korean Hackers Exploit Chrome Zero-Day to Deploy Rootkit
• Corona Malware Botnet Exploits Five-Year-Old Zero-Day in Discontinued AVTECH IP Cameras
• Russian APT29 Hackers Leverage Exploits Crafted by Commercial Spyware Vendors
• U.S. Agencies Highlight Ongoing Ransomware Attacks by Iranian Hacking Group