HQ/EMEAFind out how we can help your business
The hacktivist group Head Mare exploited the recently disclosed WinRAR flaw to execute attacks on Russian and Belarusian organisations.
This hacking group has operated since at least 2023 and was notorious for targeting enterprises in Russia and Belarus. Moreover, this group publicises its victims on X and discloses stolen internal data acquired during attacks on the same social network.
According to reports, the group leverages modern tactics to acquire initial access to targeted systems. Researchers recently reported that the hacktivist group used the CVE-2023-38831 WinRAR flaw to obtain arbitrary code execution if its victims open its specially designed malicious archive.
Head Mare has infected nine corporations in various industries.
Reports stated that the Head Mare hacktivist group has targeted nine victims in several industries, such as transportation, energy, entertainment, manufacturing, and government.
However, the researchers noted that the group’s primary objective is to cause significant damage to companies in Russia and Belarus. Moreover, unlike other cybercriminal organisations, the hacktivist group encrypts victim data and demands.
After execution, the group utilises malware tools PhantomDL and PhantomCore to link them to their C2 servers and identify the infected domain.
Analysis of this strategy shows that PhantomDL connects to a single command-and-control server, whereas PhantomCore connects to various C2 servers and checks the host domain. Although certain PhantomDL and PhantomCore samples were discovered, it is unclear whether they belong to the same activity cluster as the ones utilised in Head Mare’s attacks.
Furthermore, the hacktivists employed various techniques, including Windows registry keys and scheduled processes, to establish and maintain its persistence on infected systems. Lastly, the researchers noted that the final process of these attacks consists of launching either the Babuk or LockBit ransomware, depending on the infected infrastructure.
On the other hand, the tactics, methods, processes, and tools used by the Head Mare group are comparable to those of other groups linked with clusters targeting organisations in Russia and Belarus during the Russo-Ukrainian conflict.
Researchers believe these attacks against Russian and Belarusian organisations organised by this hacktivist group will persist as the geopolitical conflict within the region continues.
