Analysis Summary

There is evidence that the hacktivist group Head Mare is responsible for cyberattacks that solely target organizations in Belarus and Russia by using up-to-date tactics to gain initial access.

To better conceal and distribute the malicious payload, the group used, for example, the relatively recent WinRAR vulnerability CVE-2023-38831, which permits the attacker to run arbitrary code on the system through an archive that has been specially prepared. As a result of the Russo-Ukrainian conflict that erupted the previous year, Head Mare, a hacktivist group, has been targeting Russian organizations since 2023.

According to the researchers, targets of the group's attacks include governments and the transportation, energy, manufacturing, and environmental sectors. It also keeps an active presence on X, where it has leaked personal information and internal documents from victims. In contrast to other hacktivist groups, which most likely seek to cause the greatest amount of harm to businesses in the two nations, Head Mare also encrypts victims' devices using Babuk for Linux (ESXi) and LockBit for Windows and then demands a ransom to unlock the data.

PhantomDL and PhantomCore are two more tools in its arsenal. PhantomDL is a Go-based backdoor that may upload data of interest to a command-and-control (C2) server and deliver further payloads. PhantomCore (aka PhantomRAT), a predecessor to PhantomDL, is a remote access trojan with comparable characteristics, allowing for downloading files from the C2 server, uploading files from a compromised host to the C2 server, as well as executing instructions in the cmd.exe command line interpreter.

To pass off their actions as Microsoft software-related operations, the attackers generate registry values and schedule tasks with the names MicrosoftUpdateCore and MicrosoftUpdateCoree. It was also discovered that the group had been using LockBit samples with the names OneDrive.exe and VLC.exe. These samples pretended to be genuine OneDrive and VLC apps and could be found in the C:\ProgramData directory. It has been discovered that both artifacts are disseminated through phishing campaigns in the guise of business documents with two extensions.

Sliver, an open-source C2 framework, and a plethora of freely accessible tools like rsockstun, ngrok, and Mimikatz that aid in credential harvesting, discovery, and lateral movement constitute an essential part of its offensive arsenal. Depending on the target environment, the incursions terminate with the deployment of either LockBit or Babuk, followed by the dumping of a ransom letter requesting cash in exchange for a decryptor to unlock the files.

In the framework of the Russo-Ukrainian war, the strategies, techniques, protocols, and equipment employed by the Head Mare group are largely comparable to those of other groups connected to clusters that target organizations in Belarus and Russia. However, the group sets itself apart by infiltrating its victims' infrastructure through phishing operations utilizing specially designed malware like PhantomDL and PhantomCore, as well as by taking advantage of a relatively recent vulnerability, CVE-2023-38831.

Impact

• Code Execution
• Unauthorized Access
• Exposure of Sensitive Data
• Information Theft
• File Encryption

Indicators of Compromise

IP

• 188.127.237.46
• 45.87.246.169
• 45.87.245.30
• 185.80.91.107
• 188.127.227.201
• 5.252.176.47
• 45.11.27.232
• 194.87.210.134
• 94.131.113.79

MD5

• 15333d5315202ea428de43655b598eda
• 2799415007628a4647071aeadfbf007a
• 2525b41e278337b320eb773dad7949fd
• 16f97ec7e116fe3272709927ab07844e
• 5d8d727a376b8bee36ee2aef918540bb
• 55239cc43ba49947bb1e1178fb0e9748
• b39b8c18a294240eb284787f07206b67
• 07db05ee98e9284a52f767b6410acdd7
• 0e763512095abc4616f81cf4631b9b2f
• 9a72cde58feed74a4ea301d6ddf41fd4
• 2e2da33b244a4bd17d5ddfb7f29b8b22
• e930b05efe23891d19bc354a4209be3e
• 76b23dd72a883d8b1302bb4a514b7967
• e74f35cc8b41c77a75ed5bfc867344c8
• c4c48380b7ab02852def87a8044cd91b

SHA-256

• 201f8dd57bce6fd70a0e1242b07a17f489c5f873278475af2eaf82a751c24fa8
• 9f5b780c3bd739920716397547a8c0e152f51976229836e7442cf7f83acfdc69
• 08dc76d561ba2f707da534c455495a13b52f65427636c771d445de9b10293470
• 5d924a9ab2774120c4d45a386272287997fd7e6708be47fb93a4cad271f32a03
• 9b005340e716c6812a12396bcd4624b8cfb06835f88479fa6cfde6861015c9e0
• 5a3c5c165d0070304fe2d2a5371f5f6fdd1b5c964ea4f9d41a672382991499c9
• dc3e4a549e3b95614dee580f73a63d75272d0fba8ca1ad6e93d99e44b9f95caa
• 2f9b3c29abd674ed8c3411268c35e96b4f5a30fabe1ae2e8765a82291db8f921
• 015a6855e016e07ee1525bfb6510050443ad5482039143f4986c0e2ab8638343
• 22898920df011f48f81e27546fece06a4d84bce9cde9f8099aa6a067513191f3
• b8447ef3f429dae0ac69c38c18e8bdbfd82170e396200579b6b0eff4c8b9a984
• 92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50
• 311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86
• 4c218953296131d0a8e67d70aeea8fa5ae04fd52f43f8f917145f2ee19f30271
• eda18761f3f6822c13cd7beae5af2ed77a9b4f1dc7a71df6ab715e7949b8c78b

SHA1

• b6212da07dc3a4f39a33bc0f0242c86a0f4433e6
• f462688070566965badecc6ed9f46d053c73fdf9
• 3ecfd1bafbbc59547ac298ade59527f5d58d7b68
• 9ab4d91d3db34431f451106ede4f0ed5b163ce94
• 99dca7d75790d3f30d8b6011eb5aec86efe80879
• 17f6119755f80fb0308bb9aaa77b6706e5649edc
• a9f353addbd75e252b5169ff1ba8e7ea25a31350
• 0d43f5e0524d00507595a36d3c192a96ef2c5fee
• 41125a07bfa80ec024951a0ee8455479894216e0
• b3ea7664a8487da68318a907362712cab172c19c
• b95a5cf8dfabc75b9ab1c15aa07ddf22bcb7dfeb
• d1f7832035c3e8a73cc78afd28cfd7f4cece6d20
• 338e19e8a3615c29d8a825ebba66cf55fa0caa2c
• 6efa4887c3245954135873cc19aee83ade011ab3
• f1e5ccf8f00b9eff15aaa55187e9813291bde19a

URL

• http://188.127.237.46/winlog.exe
• http://188.127.237.46/servicedll.exe
• http://194.87.210.134/gringo/splhost.exe
• http://194.87.210.134/gringo/srvhost.exe
• http://94.131.113.79/splhost.exe
• http://94.131.113.79/resolver.exe

Remediation

• Upgrade to the latest version of WinRAR, available from the WinRAR Website.
• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software on time and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network.
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure that backup and recovery procedures are in place.