Since 2023, a hacktivist group known as Head Mare has been targeting organizations in Russia and Belarus. This group, active in the context of the ongoing Russo-Ukrainian conflict, is relatively new but significant for using highly advanced techniques, including developing new malware and exploiting the latest available vulnerabilities to optimum effect.
Head Mare mainly attains access to its victims’ systems through phishing scams, where it releases malicious RAR archives that take advantage of the CVE-2023-38831 vulnerability in WinRAR. This flaw enables the attackers to run any code (ACE) on the victim’s machine when they try to open the seemingly normal document. These are archives with ‘.zip’ extensions and appear as business or official documents to the users, and a simple launch of the file will trigger the virus.
After getting inside the compromised system, Head Mare uses tools that alter the Windows registry values and create scheduler tasks. PhantomDL and PhantomCore are custom malware used by the group during the entire phishing campaign to gain access and take control. Additionally, Head Mare uses two well-known ransomware families: LockBit for Windows systems and Babuk for Linux (ESXi). The two ransomware family members lock the targets’ devices and then ask for a ransom for the decryption.
It is mainly performed on the social media platform X (formerly Twitter); Head Mare discloses the names of their targets and publishes other materials obtained during the attacks. For example, this is one of the posts by the Head Mare X account:
Head Mare manages compromised systems, executes commands, and gathers data using custom-made malware and publicly available software. They also use tools like Sliver, a C2 framework, ngrok, and rsockstun, which help navigate targeted networks by using compromised machines as mediators. To avoid detection, they hide malware as legitimate software by simply changing the names of ransomware, such as OneDrive.exe and VLC.exe, placing them in typical system directories like C:\ProgramData.
Head Mare’s advanced infrastructure utilizes VPS/VDS servers as C2 hubs. The attackers also have set some other tasks with names like MicrosoftUpdateCore and MicrosoftUpdateCoree to camouflage their operations under genuine system processes associated with Microsoft software and some other registry values. Head Mare’s attacks have affected several industries, including government institutions, transportation, energy, manufacturing, and entertainment.
Head Mare uses tactics, techniques, and procedures that differ in using custom malware and exploiting newer vulnerabilities, such as CVE-2023-38831. These methods make them a unique and evolving threat. These attacks remind organizations to strengthen their cybersecurity defenses to guard against the growing risk.
