Cyber security news for all

More

    Hacktivists Exploit WinRAR Vulnerability in Attacks Against Russia and Belarus

    A hacktivist group named Head Mare has been connected to a series of cyber attacks specifically targeting organizations within Russia and Belarus.

    “Head Mare employs more current methods to gain initial access,” Kaspersky noted in a Monday analysis of the group’s tactics and tools.

    One example is their use of the relatively recent CVE-2023-38831 vulnerability in WinRAR, which enables attackers to execute arbitrary code on a system through a specially crafted archive. This tactic allows the group to deliver and conceal their malicious payload more effectively.

    Active since 2023, Head Mare is among the hacktivist groups targeting Russian organizations in the context of the ongoing Russo-Ukrainian conflict that began the previous year.

    The group also maintains a presence on X, where it has leaked sensitive information and internal documents from its victims. The targets of these attacks span various sectors, including government, transportation, energy, manufacturing, and the environment.

    Unlike other hacktivist groups that aim to cause maximum damage to companies in these two countries, Head Mare also encrypts victims’ devices using LockBit for Windows and Babuk for Linux (ESXi), demanding a ransom for data decryption.

    Their toolkit also includes PhantomDL and PhantomCore. PhantomDL is a Go-based backdoor capable of delivering additional payloads and uploading files of interest to a command-and-control (C2) server.

    PhantomCore (also known as PhantomRAT), the precursor to PhantomDL, is a remote access trojan with similar features, allowing the downloading of files from the C2 server, uploading files from a compromised host to the C2 server, and executing commands in the cmd.exe command line interpreter.

    “The attackers create scheduled tasks and registry values named MicrosoftUpdateCore and MicrosoftUpdateCoree to disguise their activities as legitimate Microsoft software tasks,” Kaspersky reported.

    Kaspersky also discovered that some LockBit samples used by the group were named OneDrive.exe and VLC.exe. These samples were located in the C:\ProgramData directory, masquerading as legitimate OneDrive and VLC applications.

    Both of these artifacts were found to be distributed through phishing campaigns, often appearing as business documents with double extensions (e.g., решение №201-5_10вэ_001-24 к пив экран-сои-2.pdf.exe or тз на разработку.pdf.exe).

    Another key component of their attack strategy is Sliver, an open-source C2 framework, along with a collection of publicly available tools such as rsockstun, ngrok, and Mimikatz. These tools aid in discovery, lateral movement, and credential harvesting.

    The attacks typically culminate in the deployment of either LockBit or Babuk, depending on the target environment, followed by a ransom note demanding payment in exchange for a decryptor to unlock the files.

    “The tactics, techniques, procedures, and tools used by Head Mare are largely similar to those of other groups targeting organizations in Russia and Belarus within the context of the Russo-Ukrainian conflict,” the Russian cybersecurity vendor observed.

    “However, the group sets itself apart by using custom-made malware such as PhantomDL and PhantomCore, and by exploiting a relatively new vulnerability, CVE-2023-38831, to infiltrate their victims’ infrastructure through phishing campaigns.”

    Recent Articles

    Related Stories