Source – Securelist
Head Mare is a hacktivist group that emerged in 2023 on the social network X (formerly Twitter), publicly revealing information about its victims, including stolen internal documents and screenshots. The group exclusively targets companies in Russia and Belarus, employing advanced phishing tactics and custom malware, such as PhantomDL and PhantomCore.
Key Findings:
- Targeted Regions: Focuses solely on organizations in Russia and Belarus.
- Phishing Campaigns: Uses phishing emails with RAR archives that exploit the CVE-2023-38831 vulnerability in WinRAR for initial access.
- Malware: Deploys custom malware (PhantomDL and PhantomCore) and ransomware (LockBit for Windows, Babuk for Linux/ESXi) to encrypt victims’ devices and demand ransoms.
- Victim Industries: Affected sectors include government, transportation, energy, manufacturing, and entertainment.
- Motivation: Likely aims to cause maximum damage in the context of the Russo-Ukrainian conflict, with financial extortion as a secondary goal.
Technical Details:
- Phishing Techniques: Uses social engineering to deliver payloads via disguised emails that seem to contain legitimate business documents.
- Malware Deployment: Upon execution, PhantomDL and PhantomCore connect to command-and-control (C2) servers to identify the infected domain and establish persistence.
- Persistence Tactics: Uses registry keys and scheduled tasks under names like “MicrosoftUpdateCore” to disguise malicious activities.
- Detection Evasion: Mimics legitimate software like OneDrive and VLC, using paths such as
C:\ProgramData\OneDrive.exe
to avoid detection.
Infrastructure and Tools:
- C2 Framework: Utilizes the Sliver open-source C2 framework to manage compromised systems and execute commands.
- Disguised Tools: Uses common software names (e.g.,
SrvLog.exe
,srvhosts.exe
) and disguises malware samples to look like legitimate applications. - Network Tunneling: Employs tools like ngrok and rsockstun to create secure tunnels for moving laterally within networks.
End Goal:
- File Encryption: Deploys ransomware like LockBit and Babuk to encrypt files and demand ransoms.
- Data Exfiltration: Uses tools such as Mimikatz and XenAllPasswordPro to harvest credentials and sensitive information before encryption.