Headline
Hacktivists Exploits WinRAR Vulnerability in Attacks Against Russia and Belarus
A hacktivist group known as Head Mare has been linked to cyber attacks that exclusively target organizations located in Russia and Belarus. “Head Mare uses more up-to-date methods for obtaining initial access,” Kaspersky said in a Monday analysis of the group’s tactics and tools. "For instance, the attackers took advantage of the relatively recent CVE-2023-38831 vulnerability in WinRAR, which
A hacktivist group known as Head Mare has been linked to cyber attacks that exclusively target organizations located in Russia and Belarus.
“Head Mare uses more up-to-date methods for obtaining initial access,” Kaspersky said in a Monday analysis of the group’s tactics and tools.
“For instance, the attackers took advantage of the relatively recent CVE-2023-38831 vulnerability in WinRAR, which allows the attacker to execute arbitrary code on the system via a specially prepared archive. This approach allows the group to deliver and disguise the malicious payload more effectively.”
Head Mare, active since 2023, is one of the hacktivist groups attacking Russian organizations in the context of the Russo-Ukrainian conflict that began a year before.
It also maintains a presence on X, where it has leaked sensitive information and internal documentation from victims. Targets of the group’s attacks include governments, transportation, energy, manufacturing, and environment sectors.
Unlike other hacktivist personas that likely operate with an aim to inflict “maximum damage” to companies in the two countries, Head Mare also encrypts victims’ devices using LockBit for Windows and Babuk for Linux (ESXi), and demands a ransom for data decryption.
Also part of its toolkit are PhantomDL and PhantomCore, the former of which is a Go-based backdoor that’s capable of delivering additional payloads and uploading files of interest to a command-and-control (C2) server.
PhantomCore (aka PhantomRAT), a predecessor to PhantomDL, is a remote access trojan with similar features, allowing for downloading files from the C2 server, uploading files from a compromised host to the C2 server, as well as executing commands in the cmd.exe command line interpreter.
“The attackers create scheduled tasks and registry values named MicrosoftUpdateCore and MicrosoftUpdateCoree to disguise their activity as tasks related to Microsoft software,” Kaspersky said.
“We also found that some LockBit samples used by the group had the following names: OneDrive.exe [and] VLC.exe. These samples were located in the C:\ProgramData directory, disguising themselves as legitimate OneDrive and VLC applications.”
Both the artifacts have been found to be distributed via phishing campaigns in the form of business documents with double extensions (e.g., решение №201-5_10вэ_001-24 к пив экран-сои-2.pdf.exe or тз на разработку.pdf.exe).
Another crucial component of its attack arsenal is Sliver, an open-source C2 framework, and a collection of various publicly available tools such as rsockstun, ngrok, and Mimikatz that facilitate discovery, lateral movement, and credential harvesting.
The intrusions culminate in the deployment of either LockBit or Babuk depending on the target environment, followed by dropping a ransom note that demands a payment in exchange for a decryptor to unlock the files.
“The tactics, methods, procedures, and tools used by the Head Mare group are generally similar to those of other groups associated with clusters targeting organizations in Russia and Belarus within the context of the Russo-Ukrainian conflict,” the Russian cybersecurity vendor said.
“However, the group distinguishes itself by using custom-made malware such as PhantomDL and PhantomCore, as well as exploiting a relatively new vulnerability, CVE-2023-38831, to infiltrate the infrastructure of their victims in phishing campaigns.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Russian state-sponsored actors have staged NT LAN Manager (NTLM) v2 hash relay attacks through various methods from April 2022 to November 2023, targeting high-value targets worldwide. The attacks, attributed to an "aggressive" hacking crew called APT28, have set their eyes on organizations dealing with foreign affairs, energy, defense, and transportation, as well as those involved with
By Waqas UAC-0099 is a pro-Russian hacking group that has been targeting Ukraine since the conflict between the two countries began. This is a post from HackRead.com Read the original post: UAC-0099 Hackers Using Old WinRAR Flaw in New Cyberattack on Ukraine
Indian government entities and the defense sector have been targeted by a phishing campaign that's engineered to drop Rust-based malware for intelligence gathering. The activity, first detected in October 2023, has been codenamed Operation RusticWeb by enterprise security firm SEQRITE. "New Rust-based payloads and encrypted PowerShell commands have been utilized to exfiltrate
The Russian nation-state threat actor known as APT28 has been observed making use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace. IBM X-Force is tracking the adversary under the name ITG05, which is also known as BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Sednit, Sofacy, and
Microsoft on Monday said it detected Kremlin-backed nation-state activity exploiting a critical security flaw in its Outlook email service to gain unauthorized access to victims' accounts within Exchange servers. The tech giant attributed the intrusions to a threat actor it called Forest Blizzard (formerly Strontium), which is also widely tracked under the monikers APT28,
By Waqas Forest Blizzard (aka STRONTIUM, APT28, and Fancy Bear) is thought to have affiliations with or support from the Russian military intelligence agency. This is a post from HackRead.com Read the original post: Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group
Russian cyber espionage actors affiliated with the Federal Security Service (FSB) have been observed using a USB propagating worm called LitterDrifter in attacks targeting Ukrainian entities. Check Point, which detailed Gamaredon's (aka Aqua Blizzard, Iron Tilden, Primitive Bear, Shuckworm, and Winterflounder) latest tactics, branded the group as engaging in large-scale campaigns that are
The Pakistan-linked threat actor known as SideCopy has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and DRat. Enterprise security firm SEQRITE described the campaign as multi-platform, with the attacks also designed to infiltrate Linux systems with a
This Metasploit module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its embedded document, the decoy document is executed, leading to code execution.
RARLabs WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through August 2023.