Analysis has revealed that hacking group ‘Head Mare’ exclusively targets companies in Russia and Belarus. The group is part of a trend of cyber organizations which have emerged in the context of the Russian war in Ukraine, and who seem to be focused on inflicting the most damage, rather than financial incentives.
Head Mare are reported to be using the most up to date initial access techniques when compared to other groups. The organization is said to have carried out attacks on nine victims across various industries, such as government agencies, energy, transportation, manufacturing, and entertainment.
The group used X (formerly Twitter) to post the details of the data stolen from its victims – along with organization names, administrative codes, and screenshots of desktops. Ostensibly, the intention of the group was to cause maximum damage, but it did also demand a ransom for data encryption.
To gain initial access, investigators found that Head Mare used malicious PhantomDL and PhantomCore samples. A phishing campaign was sent out which, when opened by the user, also opened the disguised document, triggering the execution of the malicious file. The group exploits the well known CVE-2023-38831 vulnerability in WinRAR, used to hide malware in archived files.
The custom made malware PhantomCore and PhantomDL is used to infiltrate the device of the target. The hackers encrypt the devices with Lockbit or Babuk, and deliver a ransom for the data encryption.
This campaign is one among many, as the digital sphere has served as the arena for a large portion of Russia’s war in Ukraine, with Ukrainian allies hit with cyber attacks from Russian backed threat actors, as well as targets in Ukraine itself.
Via SecureList