Head Mare [1] [2] [3] [4] [5] [6], a hacktivist group targeting organizations in Russia and Belarus since 2023 [2] [3] [4], is part of a larger trend of cyber organizations emerging in the context of the Russo-Ukrainian conflict [1].
Description
They focus on causing damage rather than financial gain and have used the most up-to-date initial access techniques compared to other groups [1]. The group has targeted nine victims across various industries [1], posting stolen data details on X [1]. Head Mare gains initial access through malicious PhantomDL and PhantomCore samples [1], exploiting the CVE-2023-38831 vulnerability in WinRAR [1] [2] [3] [4] [5] [6]. They use custom-made malware like PhantomCore and PhantomDL to infiltrate devices [1], encrypting them with LockBit or Babuk and demanding a ransom for data decryption [1]. Additionally, the group uses tools like Mimikatz for credential harvesting and deploys ransomware such as LockBit and Babuk [3]. Head Mare also uses phishing campaigns to distribute malicious payloads disguised as legitimate files and has leaked sensitive information from victims on X [3]. Their tactics and tools are similar to other groups targeting organizations in the context of the conflict [3], but they stand out for their use of custom malware and new vulnerabilities [3]. The group employs sophisticated techniques for initial access and persistence [5], leveraging the CVE-2023-38831 vulnerability in WinRAR to distribute malicious PhantomDL and PhantomCore payloads [5]. They evade detection by disguising their tools as legitimate software [5], using obfuscation techniques [5], and leveraging open-source frameworks like Sliver [5]. The attackers also use phishing campaigns with double-extension files to maintain persistent access to victim networks and execute malicious activities undetected [5]. They employ Mimikatz and XenAllPasswordPro to gather system information and credentials [5], then deploy LockBit and Babuk ransomware variants to encrypt files on the network and demand payment for decryption [5]. The Kaspersky Threat Intelligence report reveals that Head Mare primarily targets victims in Russia and Belarus [5], with similarities between their tools and the LockBit ransomware suggesting potential connections or shared techniques [5]. By analyzing these similarities [5], cybersecurity researchers can develop strategies to mitigate Head Mare’s attacks [5]. The group’s goal is to cause maximum damage to Russian and Belarusian organizations [2], demanding ransoms in some cases [2]. Their attacks have impacted government [2], transportation [2], energy [2], manufacturing [2], and entertainment sectors [2]. Vulnerability management is crucial in preventing breaches and unauthorized access by threat actors [4]. Organizations must strengthen their cybersecurity defenses and collaborate with cybersecurity firms like Kaspersky to enhance their overall security posture [4].
Conclusion
Head Mare’s attacks have had significant impacts on various industries in Russia and Belarus, highlighting the importance of vulnerability management and collaboration with cybersecurity experts to mitigate future attacks. By understanding the group’s tactics and tools, organizations can better prepare and defend against cyber threats.
References
[1] https://www.techradar.com/pro/hacktivists-target-russian-organizations-using-winrar-vulnerability
[2] https://blog.netmanageit.com/head-mare-adventures-of-a-unicorn-in-russia-and-belarus/
[3] https://thehackernews.com/2024/09/hacktivists-exploits-winrar.html
[4] https://www.krofeksecurity.com/hacktivists-exploiting-winrar-vulnerability-for-cyber-attacks-on-russia-and-belarus/
[5] https://gbhackers.com/head-mare-hacktivist-group-exploit-winrar-vulnerability/
[6] https://patabook.com/technology/2024/09/03/hacktivists-exploits-winrar-vulnerability-in-attacks-against-russia-and-belarus/
