Head Mare Hacktivist Group Exploit WinRAR Vulnerability To Encrypt Windows And Linux

Head Mare, a Russian-focused hacktivist group, gained notoriety in 2023 by targeting organizations in Russia and Belarus as they employ phishing tactics to distribute WinRAR archives exploiting the CVE-2023-38831 vulnerability, gaining initial access to victims’ systems. 

Once inside, they steal sensitive data and encrypt devices using LockBit and Babuk ransomware, whose toolset and tactics align with those of other groups attacking Russian entities, suggesting potential connections or shared resources.

The Head Mare hacktivist group, targeting Russian and Belarusian organizations, uses sophisticated techniques for initial access and persistence by leveraging the CVE-2023-38831 vulnerability in WinRAR to distribute malicious PhantomDL and PhantomCore payloads. 

These malware samples establish communication with attackers’ command and control servers, identify the infected domain, and persist in the system using registry keys and scheduled tasks.

The group’s ultimate goal is to cause maximum damage to Russian and Belarusian companies while also demanding a ransom for data decryption.

The attackers employed various tactics to evade detection, including disguising their tools as legitimate software, using obfuscation techniques, and leveraging open-source frameworks like Sliver by using tools such as rsockstun and ngrok to pivot through compromised systems and gain access to private network segments. 

Additionally, they employed phishing campaigns with double-extension files to lure victims into executing malicious payloads, which allowed the attackers to maintain persistent access to victim networks and execute their malicious activities undetected.

They initially compromised a network node and used various techniques to gather system information and credentials by employing the Mimikatz tool and XenAllPasswordPro to harvest credentials from the compromised system. 

Subsequently, the attackers deployed two ransomware variants, LockBit and Babuk, to encrypt files on the network, where LockBit, distributed under various names, sequentially encrypted files using LockbitLite and LockbitHard. 

While Babuk, designed for ESXi, leveraged standard encryption algorithms and destroyed running virtual machines, where both ransomware variants left ransom notes demanding payment for decryption.

The Kaspersky Threat Intelligence report reveals that the Head Mare malware group primarily targets victims in Russia and Belarus.

The PhantomDL and PhantomCore samples, key components of their toolkit, have been analyzed and compared to similar malware. 

The report also identifies similarities between Head Mare’s tools and the LockBit ransomware, suggesting potential connections or shared techniques. 

By analyzing these similarities, cybersecurity researchers can gain valuable insights into Head Mare’s operations and develop strategies to mitigate their attacks.

The Head Mare group, a threat actor associated with clusters targeting Russian and Belarusian organizations, employs tactics, methods, procedures, and tools similar to other groups within the same context. 

While they distinguish themselves by using custom-made malware, such as PhantomDL and PhantomCore, and exploiting a newly discovered vulnerability, CVE-2023-38831, in phishing campaigns to infiltrate victim infrastructure. 

Head Mare: adventures of a unicorn in Russia and Belarus

Download FreeIncident Response Plan Templatefor Your Security Team – Free Download