Hacktivist Havoc: Head Mare’s High-Tech Takedown of Russian and Belarusian Targets

Hot Take:

In the world of hacktivism, Head Mare is galloping ahead of the pack, leaving a trail of encrypted files and ransomed data in its wake. Who knew horseplay could be so high-tech?

Key Points:

• Head Mare targets Russian and Belarusian organizations using the latest vulnerabilities and custom malware.
• The group exploits CVE-2023-38831 in WinRAR to execute code and deliver malicious payloads.
• They use LockBit for Windows and Babuk for Linux to encrypt victims’ devices and demand ransoms.
• PhantomDL and PhantomCore are their primary backdoors for further payload delivery and data exfiltration.
• Phishing campaigns with business document disguises are their go-to method for initial access.

Galloping Into the Spotlight

Head Mare, the hacktivist group that’s making Russian and Belarusian organizations gallop in fear, has been making headlines for its sophisticated cyber attacks. According to Kaspersky, Head Mare has been exploiting the CVE-2023-38831 vulnerability in WinRAR to execute arbitrary code. Because, why not turn your favorite archive manager into a weapon of digital destruction? This allows the group to effectively deliver and disguise their malicious payloads, making them the equestrian ninjas of the cyber world.

Ransomware Rodeo

Unlike other hacktivist groups that just want to watch the world burn, Head Mare has a more entrepreneurial spirit. They not only aim to inflict maximum damage but also encrypt victims’ devices using LockBit for Windows and Babuk for Linux (ESXi). And yes, they demand a ransom for data decryption. Talk about turning a hobby into a side hustle!

Backdoor Bronco

The group’s toolkit includes PhantomDL and PhantomCore, two backdoors that sound like they belong in a sci-fi movie. PhantomDL is a Go-based backdoor capable of delivering additional payloads and uploading files to a command-and-control (C2) server. PhantomCore, its predecessor, is a remote access trojan that allows for downloading files from the C2 server, uploading files from a compromised host, and executing commands in the cmd.exe command line interpreter. Basically, it’s the Swiss Army knife of cyber intrusions.

Phishing for Phools

Head Mare’s initial access methods are as deceptive as a magician’s sleight of hand. They distribute their malicious payloads via phishing campaigns, disguising them as business documents with double extensions like решение №201-5_10вэ_001-24 к пив экран-сои-2.pdf.exe or тз на разработку.pdf.exe. If you thought your inbox was safe, think again.

Tool Time

The group also employs a variety of publicly available tools such as rsockstun, ngrok, and Mimikatz to facilitate discovery, lateral movement, and credential harvesting. They culminate their intrusions with the deployment of either LockBit or Babuk, followed by a ransom note demanding payment for a decryptor to unlock the files. It’s like a twisted game of digital Monopoly, where instead of passing “Go” and collecting $200, you get a ransom note and an encrypted hard drive.