Hacktivists Target Russian Organizations Using WinRAR Vulnerability
Analysis has shown that hacker group ‘Head Mare’ is exclusively targeting companies in Russia and Belarus. The group is part of a trend of cyber organizations that have emerged in the context of Russia’s war in Ukraine and that appear to be focused on inflicting the most damage, rather than financial incentives.
Head Mare is said to be using the most up-to-date initial access techniques compared to other groups. The organization is said to have carried out attacks on nine victims in various sectors, such as government agencies, energy, transportation, manufacturing and entertainment.
The group used X (formerly Twitter) to post details of their victims’ stolen data – along with organization names, administrative codes, and desktop screenshots. Ostensibly, the group’s intention was to cause maximum damage, but they also demanded ransom payments for data encryption.
To gain initial access, researchers discovered that Head Mare used malicious PhantomDL and PhantomCore samples. A phishing campaign was sent that, when opened by the user, also opened the disguised document, triggering the execution of the malicious file. The group uses the well-known CVE-2023-38831 Vulnerability in WinRARis used to hide malware in archived files.
The custom malware PhantomCore and PhantomDL is used to infiltrate the target’s device. The hackers encrypt the devices with Lockbit or Babuk and deliver a ransom for the data encryption.
This campaign is one of many, as the digital sphere has served as an arena for much of Russia’s war in Ukraine, with Ukrainian allies affected by cyber attacks from Russian-backed threat actors, but also from targets in Ukraine itself.
Via Safe List