Threat Research

The Rise of Head Mare: A Geopolitical Analysis

Cyble

Head Mare targets Russian and Belarusian organizations to influence political and economic stability amid the Russo-Ukrainian conflict, employing phishing and ransomware to destabilize key institutions. The group uses persistence and evasion techniques, including disguising malware and leveraging the Sliver framework for command-and-control.

Keypoints

  • Head Mare targets Russian and Belarusian organizations to influence political and economic stability.
  • Utilizes sophisticated phishing and ransomware attacks, exploiting vulnerabilities like CVE-2023-38831.
  • Aligns cyber operations with the Russo-Ukrainian conflict to apply pressure on Russia and Belarus.
  • Employs advanced techniques for persistence and evasion, including disguising malware.
  • Uses the Sliver framework for managing compromised systems and maintaining command-and-control infrastructure.
  • Tools like Mimikatz are used for credential theft to enhance control over networks.

MITRE Techniques

  • [T1566] Phishing – Head Mare employs advanced phishing techniques to exploit vulnerabilities in widely used software. “Head Mare employs advanced phishing techniques to exploit vulnerabilities in widely used software.”
  • [T1486] Ransomware – Utilizes ransomware strains like LockBit and Babuk to disrupt targeted organizations. “Utilizes ransomware strains like LockBit and Babuk to disrupt targeted organizations.”
  • [T1003] Credential Dumping – Uses tools like Mimikatz to extract credentials from compromised systems. “Uses tools like Mimikatz to extract credentials from compromised systems.”
  • [T1071] Command and Control – Utilizes the Sliver framework for managing compromised systems and executing commands. “Utilizes the Sliver framework for managing compromised systems and executing commands.”
  • [T1547] Persistence – Adds malware samples to the Windows Run registry key or creates scheduled tasks for operational longevity. “Adds malware samples to the Windows Run registry key or creates scheduled tasks for operational longevity.”
  • [T1027] Obfuscated Files or Information – Disguises malware as legitimate software to evade detection. “Disguises malware as legitimate software to evade detection.”

Indicators of Compromise

  • [SHA-256] File hashes – 201F8DD57BCE6FD70A0E1242B07A17F489C5F873278475AF2EAF82A751C24FA8, 9F5B780C3BD739920716397547A8C0E152F51976229836E7442CF7F83ACFDC69, and 2 more hashes
  • [IP] Indicators – 188.127.237.46, 45.87.246.169, and 5 more IPs
  • [URL] URLs – http://188.127.237.46/winlog.exe, http://188.127.237.46/servicedll.exe, http://194.87.210.134/gringo/splhost.exe, http://194.87.210.134/gringo/srvhost.exe, http://94.131.113.79/splhost.exe, and 3 more URLs

Read more: https://cyble.com/blog/the-rise-of-head-mare-a-geopolitical-and-cybersecurity-analysis/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint