The analysis revealed that the Head Mare hacking group is targeting companies in Russia and Belarus exclusively. The group is part of a trend of cyber organizations that have emerged in the context of the Russian war in Ukraine and that appear to be focused on causing as much damage as possible, rather than on financial incentives.
Head Mare is said to use the most modern initial access techniques compared to other groups. The organization is said to have carried out attacks against nine victims in various industries, such as government agencies, energy, transportation, manufacturing, and entertainment.
The group used X (formerly Twitter) to publish details of the data stolen from its victims, along with organisation names, administrative codes and desktop screenshots. The group's intention was apparently to cause as much damage as possible, but they also demanded a ransom for encrypting the data.
To gain initial access, researchers discovered that Head Mare used malicious samples of PhantomDL and PhantomCore. A phishing campaign was sent that, when opened by the user, would also open the cloaked document, triggering the execution of the malicious file. The group exploits the well-known CVE-2023-38831 vulnerability in WinRARused to hide malware in compressed files.
Custom malware PhantomCore and PhantomDL are used to infiltrate the target device. Hackers encrypt the devices with Lockbit or Babuk and offer a ransom for data encryption.
This campaign is one of many, as the digital sphere has served as the stage for much of Russia's war in Ukraine, with Ukrainian allies. Hit with cyber attacks from Russian-backed threat actors, as well as targets in Ukraine itself.
Through Safe list
