Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
The group seeks to cause maximum damage to organizations from the Russian Federation and Belarus.
Kaspersky Lab has published a detailed report on the activities of the hacker group Head Mare, which has been actively attacking Russian and Belarusian organizations since 2023. Experts conducted a thorough analysis of the incidents and revealed the tactics, methods and tools used by the attackers.
Head Mare first announced itself on the social network X (formerly Twitter) in 2023. The group publishes information about its victims, including the names of organizations, stolen internal documents, and desktop screenshots. At the time of the study, Head Mare claimed nine victims from various industries, including government agencies, transportation, energy, manufacturing and entertainment.
The main purpose of Head Mare attacks is to cause maximum damage to companies from Russia and Belarus. At the same time, the group also demands a ransom for decrypting data, which distinguishes it from some other hacktivist groups.
For initial access, Head Mare conducts phishing campaigns, distributing RAR archives that exploit the CVE-2023-38831 vulnerability in WinRAR. This allows attackers to deliver malicious content more efficiently and better mask it.
In its arsenal, Head Mare uses both publicly available software and proprietary developments. Among the grouping tools:
To secure itself to the system, Head Mare uses several methods, including adding malware to the Run registry key and creating scheduler tasks. The group also obfuscates its tools, presumably using a popular Go obfuscator called Garble.
Kaspersky Lab experts note that Head Mare's tactics, methods, and tools are largely similar to the activity of other groups attacking organizations in Russia and Belarus as part of the Russian-Ukrainian conflict. However, the group is distinguished by the use of self-written malware PhantomDL and PhantomCore, as well as exploits to the relatively recent vulnerability CVE-2023-38831 as part of phishing campaigns.
It is important to note that all Head Mare-related malware samples were detected only in Russia and Belarus, according to Kaspersky Threat Intelligence.
The researchers emphasize that Russian and Belarusian organizations should pay special attention to the evolution and improvement of tactics, techniques and procedures (TTP) of intruders. Experts recommend that you regularly update your software, conduct security audits, and train your employees in cyber hygiene, paying special attention to protecting them from phishing attacks.
Source
Kaspersky Lab has published a detailed report on the activities of the hacker group Head Mare, which has been actively attacking Russian and Belarusian organizations since 2023. Experts conducted a thorough analysis of the incidents and revealed the tactics, methods and tools used by the attackers.
Head Mare first announced itself on the social network X (formerly Twitter) in 2023. The group publishes information about its victims, including the names of organizations, stolen internal documents, and desktop screenshots. At the time of the study, Head Mare claimed nine victims from various industries, including government agencies, transportation, energy, manufacturing and entertainment.
The main purpose of Head Mare attacks is to cause maximum damage to companies from Russia and Belarus. At the same time, the group also demands a ransom for decrypting data, which distinguishes it from some other hacktivist groups.
For initial access, Head Mare conducts phishing campaigns, distributing RAR archives that exploit the CVE-2023-38831 vulnerability in WinRAR. This allows attackers to deliver malicious content more efficiently and better mask it.
In its arsenal, Head Mare uses both publicly available software and proprietary developments. Among the grouping tools:
- LockBit (for Windows) and Babuk (for ESXi)cryptographers
- Native malware PhantomDL and PhantomCore
- C2-Sliver framework
- Ngrok and rsockstun utilities for accessing closed network segments
- XenAllPasswordPro for collecting credentials
- Mimikatz
To secure itself to the system, Head Mare uses several methods, including adding malware to the Run registry key and creating scheduler tasks. The group also obfuscates its tools, presumably using a popular Go obfuscator called Garble.
Kaspersky Lab experts note that Head Mare's tactics, methods, and tools are largely similar to the activity of other groups attacking organizations in Russia and Belarus as part of the Russian-Ukrainian conflict. However, the group is distinguished by the use of self-written malware PhantomDL and PhantomCore, as well as exploits to the relatively recent vulnerability CVE-2023-38831 as part of phishing campaigns.
It is important to note that all Head Mare-related malware samples were detected only in Russia and Belarus, according to Kaspersky Threat Intelligence.
The researchers emphasize that Russian and Belarusian organizations should pay special attention to the evolution and improvement of tactics, techniques and procedures (TTP) of intruders. Experts recommend that you regularly update your software, conduct security audits, and train your employees in cyber hygiene, paying special attention to protecting them from phishing attacks.
Source
