
Summary:
Cyble Research and Intelligence Labs (CRIL) has uncovered a campaign by the hacktivist group Head Mare targeting Russian organizations using the PhantomCore backdoor. This campaign employs social engineering tactics and a ZIP archive containing a malicious LNK file and an executable disguised as an archive. PhantomCore, now compiled in C++, collects victim information and can deploy ransomware payloads. Organizations are urged to enhance their security measures against such threats.
#HeadMare #PhantomCore #CyberThreats
Cyble Research and Intelligence Labs (CRIL) has uncovered a campaign by the hacktivist group Head Mare targeting Russian organizations using the PhantomCore backdoor. This campaign employs social engineering tactics and a ZIP archive containing a malicious LNK file and an executable disguised as an archive. PhantomCore, now compiled in C++, collects victim information and can deploy ransomware payloads. Organizations are urged to enhance their security measures against such threats.
#HeadMare #PhantomCore #CyberThreats
Keypoints:
- CRIL identified a campaign by the Head Mare group targeting Russians.
- The campaign uses a ZIP archive containing a malicious LNK file and an executable disguised as an archive.
- PhantomCore is a backdoor used by Head Mare, active since 2023.
- The latest campaign employs C++-compiled PhantomCore binaries instead of GoLang-compiled ones.
- PhantomCore collects victim information, including public IP addresses, before executing further commands.
- Head Mare has a history of deploying ransomware like LockBit and Babuk.
- The group exploits vulnerabilities, such as CVE-2023-38831 in WinRAR, for initial access.
- Targets include various industries in Russia and Belarus, with a focus on causing damage rather than financial gain.
- Recommendations include avoiding suspicious email attachments and ensuring software is up to date.
MITRE Techniques:
- Phishing (T1566): ZIP archives might be sent through phishing email to the target users.
- Command and Scripting Interpreter: PowerShell (T1059.001): PowerShell is used to extract the archive file.
- Windows Command Shell (T1059.003): Cmd.exe is used to execute commands through PIPE, start command.
- Native API (T1106): SetConsoleCP, SetConsoleOutputCP, and other Win32 APIs to configure locale.
- System Information Discovery (T1082): Collects victim details, including OS version, computer name, username, and domain details.
- Application Layer Protocol: Web Protocols (T1071.001): Communicates with the C&C server over HTTP using the “Boost.Beast” library.
IoC:
- [SHA-256] 6ac2d57d066ef791b906c3b4c6b5e5c54081d6657af459115eb6abb1a9d1085d
- [SHA-256] 0f578e437f5c09fb81059f4b5e6ee0b93cfc0cdf8b31a29abc8396b6137d10c3
- [SHA-256] dd49fd0e614ac3f6f89bae7b7a6aa9cdab3b338d2a8d11a11a774ecc9d287d6f
- [SHA-256] 57848d222cfbf05309d7684123128f9a2bffd173f48aa3217590f79612f4c773
- [SHA-256] 4b62da75898d1f685b675e7cbaec24472eb7162474d2fd66f3678fb86322ef0a
- [SHA-256] 44b1f97e1bbdd56afeb1efd477aa4e0ecaa79645032e44c7783f997f377d749f
- [SHA-256] 2dccb526de9a17a07e39bdedc54fbd66288277f05fb45c7cba56f88df00e86a7
- [SHA-256] 1a2d1654d8ff10f200c47015d96d2fcb1d4d40ee027beb55bb46199c11b810cc
- [SHA-256] 8aad7f80f0120d1455320489ff1f807222c02c8703bd46250dd7c3868164ab70
- [SHA-256] 9df6afb2afbd903289f3b4794be4768214c223a3024a90f954ae6d2bb093bea3
- [URL] hxxps://city-tuning[.]ru/collection/srvhost.exe
- [URL] hxxps://filetransfer[.]io/data-package/AiveGg6u/download
- [URL] hxxp://45.10.247[.]152/init
- [URL] hxxp://45.10.247[.]152/check
- [URL] hxxp://45.10.247[.]152/connect
- [URL] hxxp://45.10.247[.]152/command
- [URL] hxxp://185.80.91[.]84/command
- [URL] hxxp://185.80.91[.]84/connect
- [URL] hxxp://185.80.91[.]84/check
- [URL] hxxp://185.80.91[.]84/init
- [URL] hxxp://45.87.245[.]53/init
- [URL] hxxp://45.87.245[.]53/check
- [URL] hxxp://45.87.245[.]53/connect
- [URL] hxxp://45.87.245[.]53/command
Full Research: https://cyble.com/blog/head-mare-deploys-phantomcore-against-russia/