Cyble researchers have recently uncovered a new cyber campaign targeting Russia by the hacktivist group Head Mare. The group has been using a disguised LNK file to conceal an executable as part of their malicious activities. According to Cyble Research and Intelligence Labs (CRIL) researchers, this campaign is particularly concerning due to its ability to download additional payloads, including ransomware, and escalate a compromise through specific commands and payloads.
In a blog post published by Cyble today, the researchers highlighted the group’s capabilities in collecting victim data and deploying various payloads, emphasizing the ongoing threat posed by Head Mare. The group’s actions demonstrate a clear intention to cause harm rather than seeking financial gain, a tactic commonly employed by hacktivist groups in conflicts such as the ongoing tensions between Russia and Ukraine.
Head Mare’s latest campaign involves the use of a ZIP archive containing a malicious LNK file and an executable disguised as an archive file to deceive users. The LNK file is designed to extract and execute the PhantomCore backdoor, which has been updated to use C++-compiled binaries and includes the Boost.Beast library for communication with the command-and-control (C&C) server.
PhantomCore, once deployed, gathers information about the victim before proceeding to deploy additional payloads, such as LockBit and Babuk ransomware, or executing further commands on the compromised system. Head Mare has specifically targeted Russia and Belarus by exploiting vulnerabilities like the CVE-2023-38831 WinRAR vulnerability for initial access and payload delivery. What sets Head Mare apart from other hacktivist groups is their tendency to demand ransoms from their victims.
In the most recent campaign discovered by Cyble, a ZIP archive named “Doc.Zip” was found to contain a malicious LNK file, an executable disguised as a “zip” file, and a corrupted lure PDF. This archive, downloaded from a file-sharing website, is believed to have been delivered to victims via spam emails with a social engineering theme to appear legitimate. Upon execution, the LNK file triggers a PowerShell command to extract and execute the contents of the archive.
The malware within the archive attempts to connect to a C&C server, gathering victim information and sending it for further instructions. The researchers at Cyble have provided a detailed analysis of the campaign, including MITRE ATT&CK techniques and Indicators of Compromise (IoCs), as well as sharing Yara and Sigma rules on GitHub for detection purposes.
The actions of Head Mare and similar hacktivist groups continue to pose a significant threat to cybersecurity, highlighting the importance of vigilance and proactive measures to protect against such malicious campaigns. As the cyber landscape evolves, it is essential for organizations and individuals to stay informed and implement robust security measures to mitigate risks posed by cyber threats.