A hacktivist group known as Head Mare has been identified as a central player in a series of cyberattacks targeting organizations in Russia and Belarus. The group, which has been active since 2023, has gained notoriety for its use of advanced techniques and a targeted approach to hacking, distinguishing itself from other cybercriminal groups. These attacks are largely seen within the broader context of the Russo-Ukrainian conflict, which began in 2022 and has prompted various hacktivist groups to target organizations in these two nations.
One of the key vulnerabilities that Head Mare exploits in its attacks is a flaw in the popular file compression software WinRAR, specifically the CVE-2023-38831 vulnerability. This vulnerability allows attackers to execute arbitrary code on a victim’s system by using a specially crafted archive. This tactic has proven effective, as it allows the group to deliver its malicious payload while disguising its presence, making it difficult for targets to detect and defend against the attacks.
According to Kaspersky, a Russian cybersecurity firm, the methods and tools used by Head Mare are more advanced than those typically employed by similar groups. Kaspersky’s analysis reveals that the group uses a variety of techniques to obtain initial access to target systems, and their methods include the exploitation of relatively new vulnerabilities like the one found in WinRAR.
Advanced Tactics and Tools of Head Mare
The WinRAR vulnerability is just one of several tools in Head Mare’s arsenal. The group also employs a variety of other sophisticated techniques and malicious software to further its aims. One of its key strategies is to deliver ransomware payloads through phishing campaigns. These campaigns typically involve sending emails that contain malicious attachments, often disguised as business documents. For instance, file names such as “решение №201-5_10вэ_001-24 к пив экран-сои-2.pdf.exe” or “тз на разработку.pdf.exe” are designed to trick users into opening what appears to be legitimate files, only to unleash malicious code once executed.
In addition to these tactics, Head Mare uses ransomware strains such as LockBit for Windows systems and Babuk for Linux and ESXi systems to encrypt victims’ files. These ransomware programs render the victim’s files inaccessible, and the group then demands a ransom in exchange for a decryption key. Unlike other hacktivist groups, which may seek to cause maximum disruption or destruction, Head Mare is motivated by financial gain, as evidenced by their ransom demands.
The group has also been observed using PhantomDL, a Go-based backdoor that allows them to deliver additional payloads and upload files of interest to their command-and-control (C2) server. This backdoor serves as a key component of the group’s operations, enabling them to maintain persistent access to compromised systems and to continue their malicious activities over an extended period.
Another tool in the group’s kit is PhantomCore (also known as PhantomRAT), which functions as a remote access trojan (RAT). Like PhantomDL, PhantomCore enables the group to download files from the C2 server and upload files from the victim’s system to the server. In addition, it can execute commands using the cmd.exe command-line interpreter, giving the group broad control over the victim’s machine.
Disguising Malicious Activity
To avoid detection, Head Mare has implemented several clever techniques to disguise its malicious activity. The group creates scheduled tasks and registry values that are named to resemble legitimate system processes. For example, they use names like “MicrosoftUpdateCore” and “MicrosoftUpdateCoree,” which mimic Microsoft’s software update processes, to conceal their presence on the victim’s system.
Further disguising their ransomware attacks, Head Mare has been found to rename LockBit samples as legitimate-looking files such as “OneDrive.exe” or “VLC.exe.” These files are placed in the C:\ProgramData directory, where they blend in with legitimate software files. By masquerading as trusted programs like OneDrive and VLC, the ransomware can evade detection by many security systems, allowing the attack to proceed without interruption.
The group’s phishing campaigns have also been highly effective. By using business-related documents with double extensions (such as “.pdf.exe”), the group increases the likelihood that a user will open the file, inadvertently launching the malicious code embedded within. This method of obfuscating file extensions plays on users’ familiarity with common file types like PDFs, making them more likely to open these malicious files.
Use of Open-Source and Publicly Available Tools
Another key aspect of Head Mare’s operations is its use of open-source and publicly available tools to facilitate its attacks. One of the primary tools they use is Sliver, an open-source C2 framework that allows the group to control compromised systems and execute various tasks such as lateral movement and data exfiltration.
In addition to Sliver, the group uses a collection of other publicly available tools such as rsockstun, ngrok, and Mimikatz. These tools are essential for activities such as network discovery, credential harvesting, and lateral movement within the victim’s network. Mimikatz, in particular, is widely known for its ability to extract password hashes and other sensitive information from compromised systems, making it a valuable tool for attackers seeking to escalate their privileges within a network.
Targeting a Wide Range of Industries
The targets of Head Mare’s attacks span several key sectors in Russia and Belarus, including government institutions, transportation, energy, manufacturing, and environmental organizations. The group’s attacks are part of a larger pattern of cyber activity linked to the ongoing conflict between Russia and Ukraine, with various hacktivist groups aiming to disrupt operations, steal sensitive information, or extort victims for financial gain.
In addition to attacking these sectors, Head Mare maintains a presence on X (formerly known as Twitter), where it has leaked sensitive information and internal documents stolen from its victims. These leaks serve both as a means of applying pressure on victims to pay ransoms and as a way to publicize the group’s actions, further amplifying their impact.
Conclusion
In summary, Head Mare represents a significant threat to organizations in Russia and Belarus. The group’s sophisticated tactics, including the exploitation of the WinRAR vulnerability, its use of advanced malware such as LockBit, and its deployment of publicly available tools like Sliver, make it a formidable adversary. As the conflict between Russia and Ukraine continues, it is likely that hacktivist groups like Head Mare will remain active, seeking to exploit vulnerabilities and further their agendas through a combination of financial extortion and cyber sabotage.