The Head Mare hacktivist group has made headlines in 2023 for its targeted attacks on organizations in Russia and Belarus. Using phishing tactics and exploiting the CVE-2023-38831 vulnerability in WinRAR archives, they have successfully gained initial access to victims’ systems.
Once inside, Head Mare steals sensitive data and encrypts devices using the LockBit and Babuk ransomware, which are known for their sophisticated toolset and tactics. These methods align with those of other groups targeting Russian entities, suggesting potential connections or shared resources.
Head Mare’s goal is to cause significant damage to Russian and Belarusian companies while also demanding a ransom for decrypting the stolen data. They employ various techniques to evade detection, such as disguising their tools as legitimate software and using obfuscation techniques. Additionally, they use open-source frameworks like Sliver and tools like rsockstun and ngrok to pivot through compromised systems and gain access to private network segments.
Phishing campaigns with double-extension files are another tactic used by Head Mare to lure victims into executing malicious payloads. This allows the attackers to maintain persistent access to victim networks and carry out their malicious activities undetected.
The group initially compromises a network node and gathers system information and credentials using tools like Mimikatz and XenAllPasswordPro. Subsequently, they deploy two ransomware variants, LockBit and Babuk, to encrypt files on the network. These ransomware variants leave ransom notes demanding payment for decryption.
A report from Kaspersky Threat Intelligence reveals that Head Mare primarily targets victims in Russia and Belarus. The report highlights the PhantomDL and PhantomCore samples, key components of the group’s toolkit, which have been analyzed and compared to similar malware. The report also identifies similarities between Head Mare’s tools and the LockBit ransomware, indicating potential connections or shared techniques.
By analyzing these similarities, cybersecurity researchers can gain insights into Head Mare’s operations and develop strategies to counter their attacks. Despite the group’s use of custom-made malware and exploiting newly discovered vulnerabilities, they share tactics, methods, procedures, and tools with other threat actor clusters targeting Russian and Belarusian organizations.
Head Mare stands out for its unique approach in using custom-made malware and exploiting vulnerabilities to infiltrate victim infrastructure. Their activities have raised concerns within the cybersecurity community, prompting a closer examination of their operations and tactics to enhance cybersecurity defenses against such threats.