As per recent reports, a threat actor group known as Head Mare has been linked with cyberattacks that focus on exploiting a WinRAR Vulnerability. These attacks mainly target organizations located in Russia and Belarus. In this article, we’ll focus on details about Head Mare and the WinRAR vulnerability itself. Let’s begin!  

Head Mare Origins And Activities 

Head Mare is one the hacktivist groups that has been targeting organizations in Russia sometimes specifically using a WinRAR Vulnerability. The group has been active since 2023 and their attacks are in context of the on-going geopolitical conflict between Russia and Ukraine. Reports claim that Head Mare maintains its presence on social media platform X, previously known as Twitter. 

On the platform, it has leaked sensitive information and internal documentation acquired from victims. As of now, the key targets for Head Mare mainly include organizations within the governments, transportation, energy, manufacturing, and environment sectors. Another aspect that makes this hacktivist group unique is their demand for ransom. 

Other threat actor groups have attacked organizations in these sectors as well. However, their aim has been to cause maximum damage. Head Mare, while causing damage, encrypts the stolen files LockBit for Windows and Babuk for Linux (ESXi) and seeks ransom payment(s) afterward. 

As for the attack arsenal, Head Mare relies on using PhantomDL and PhantomCore. Phantom DL is a Go-based backdoor that, when executed, allows threat actors to deliver additional payload. 

The backdoor also facilitates uploading files to a command-and-control (C2) server. PhantomCore, also known as PhantomRAT, is a remote access trojan with similar capabilities and can execute commands in the cmd.exe command-line interpreter.

Apart from this the attacker also uses an open-source C2 framework and other publicly available tools for discovery, moving laterally, and harvesting credentials. These tools may include Rsockstun, Ngrok, and Mimikatz. 

After gaining access, Head Mare deploys either LockBit or Babuk, depending on the target. Once the deployment is complete, a ransom note seeking payment for the files to be decrypted is dropped on the compromised device. 

WinRAR Vulnerability Exploit

As far as the WinRAR vulnerability exploit is concerned, Kaspersky, a Russian multinational cyber security and antivirus provider, has stated that:  

“Head Mare uses more up-to-date methods for obtaining initial access. For instance, the attackers took advantage of the relatively recent CVE-2023-38831 vulnerability in WinRAR, which allows the attacker to execute arbitrary code on the system via a specially prepared archive. This approach allows the group to deliver and disguise the malicious payload more effectively.”

It’s worth mentioning here that the techniques, tools, and attack methods Head Mare has used are similar to other threat actors who target similar sectors. However, the exploit of the WinRAR vulnerability, CVE-2023-38831, during phishing campaigns is what distinguishes the hacktivist group from others. 

Conclusion

Head Mare’s activities highlight the evolving tactics of hacktivist groups, especially their exploitation of the WinRAR vulnerability to target critical sectors in Russia and Belarus. By combining ransomware, custom malware, and phishing, they pose a significant threat. Given this, organizations must adopt proactive security measures to reduce risk and ensure protection. 

The sources for this piece include articles in The Hacker News and TechRadar.

The post Alert: Head Mare Associated With WinRAR Vulnerability Attack appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/alert-head-mare-associated-with-winrar-vulnerability-attack/