Threat Research

“Head Mare: A Unicorn’s Journey Through Russia and Belarus”

SecureList

Head Mare emerged in 2023 as a hacktivist group targeting organizations in Russia and Belarus, conducting phishing campaigns that exploit CVE-2023-38831 in WinRAR and using ransomware like LockBit and Babuk to encrypt victims’ data. They also deploy custom malware PhantomDL and PhantomCore, publicly disclose victim information on social media, and rely on publicly available tools throughout their operations. Hashtags: #HeadMare #PhantomDL #PhantomCore #WinRAR #CVE-2023-38831 #LockBit #Babuk #ESXi #Russia #Belarus

Keypoints

  • Head Mare exclusively targets companies in Russia and Belarus.
  • Initial access is gained via phishing campaigns that exploit CVE-2023-38831 in WinRAR.
  • Ransomware encryption is performed using LockBit (Windows) and Babuk (Linux/ESXi).
  • The group uses custom malware PhantomDL and PhantomCore in phishing and exploitation campaigns.
  • Public activity includes disclosing victim information on social media (X) and leveraging publicly available tools.
  • Credential harvesting is performed with Mimikatz and XenAllPasswordPro, with attempts to disguise activities as legitimate processes.
  • Sliver is used as the main C2 framework, with pivoting and tunneling utilities like ngrok and rsockstun to expand access.

MITRE Techniques

  • [T1566.001] Phishing – Phishing campaigns distributing RAR archives that exploit CVE-2023-38831 to deliver malicious payloads. ‘Phishing campaigns distributing RAR archives that exploit the CVE-2023-38831 vulnerability in WinRAR.’
  • [T1203] Exploitation for Client Execution – Malicious documents executed after opening decoy documents in phishing emails. ‘Malicious document execution via phishing emails.’
  • [T1547.001] Run Keys/Startup Folder – Adding malicious samples to the Run registry key. ‘Adding a value to the Run registry key named MicrosoftUpdateCoree…’
  • [T1053.005] Scheduled Task – Creating scheduled tasks to maintain persistence. ‘schtasks /create /tn “MicrosoftUpdateCore” … ONLOGON’
  • [T1068] Privilege Escalation – Using Mimikatz for credential harvesting. ‘Using Mimikatz for credential harvesting.’
  • [T1003] Credential Dumping – Utilizing XenAllPasswordPro to extract user credentials. ‘XenAllPasswordPro to extract user credentials.’
  • [T1041] Exfiltration – Using command and control (C2) infrastructure for data exfiltration. ‘Using command and control (C2) infrastructure for data exfiltration.’
  • [T1486] Data Encrypted for Impact – Data encryption using LockBit and Babuk ransomware. ‘Data encryption using LockBit and Babuk ransomware.’

Indicators of Compromise

  • [Hash] context – 201F8DD57BCE6FD70A0E1242B07A17F489C5F873278475AF2EAF82A751C24FA8, 9F5B780C3BD739920716397547A8C0E152F51976229836E7442CF7F83ACFDC69, and 08DC76D561BA2F707DA534C455495A13B52F65427636C771D445DE9B10293470
  • [IP] context – C2/command-and-control endpoints observed in Head Mare infrastructure (example): 188.127.237.46, 45.87.246.169, and 5 other IPs
  • [URL] context – Example payload delivery and C2-related URLs: 188.127.237.46/winlog.exe, 188.127.237.46/servicedll.exe, and 8 more URLs
  • [File Path] context – Example sample paths used by the malware: C:Windowssystem32SrvLog.exe, c:UsersUserAppDataLocalmicrosoftwindowssrvhosts.exe, and other listed paths

Read more: https://securelist.com/head-mare-hacktivists/113555/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint