The hacktivist group Head Mare has leveraged a vulnerability in WinRAR to infiltrate and encrypt systems running on Windows and Linux.
This group, active since the onset of the Russo-Ukrainian conflict, has primarily targeted organizations in Russia and Belarus. Their attacks are characterized by sophisticated techniques that focus on causing maximum disruption.
The Vulnerability: CVE-2023-38831
According to the Secure List report, the vulnerability exploited by Head Mare, identified as CVE-2023-38831, resides in WinRAR, a popular file archiver utility.
This flaw allows attackers to execute arbitrary code on a victim’s system through specially crafted archive files. By exploiting this vulnerability, Head Mare can more effectively deliver and conceal its malicious payloads.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!
How the Exploit Works
When a user attempts to open a seemingly legitimate document within a compromised archive, the malicious code is executed, granting the attackers access to the system.
Verdicts with which our products detect PhantomDL samples: the malware is recognized, among other things, as an exploit for CVE-2023-38831
This method of attack is hazardous because it relies on user interaction, making it harder to detect through traditional security measures.
Unlike many hacktivist groups, Head Mare employs a mix of publicly available software and custom malware.
Their toolkit includes:
- LockBit and Babuk Ransomware: Used to encrypt files and demand ransoms.
- PhantomDL and PhantomCore: Custom malware used for initial access and exploitation.
- Sliver: An open-source command and control (C2) framework for managing compromised systems.
Initial Access and Persistence
Head Mare gains initial access through phishing campaigns, distributing malicious archives that exploit the WinRAR vulnerability. Once inside, they use various methods to maintain persistence, such as adding entries to the Windows registry and creating scheduled tasks.
Head Mare’s attacks have affected various
industries, including government institutions, transportation, energy, manufacturing, and entertainment. Their primary objective appears to be disrupting systems and demanding ransoms rather than solely financial gain.
The group maintains a public presence on social media, where it occasionally posts information about its victims.
Unlike some hacktivist groups, Head Mare also demands ransoms for data decryption, adding a financial dimension to its politically motivated attacks.
Analysis of Attack Infrastructure
Head Mare’s sophisticated infrastructure utilizes VPS/VDS servers as C2 hubs. They employ tools like ngrok and rsockstun for pivoting, allowing them to navigate private networks using compromised machines as intermediaries.
The group’s C2 servers host various utilities used in different stages of their attacks. These include PHP shells for executing commands and PowerShell scripts for privilege escalation.
Head Mare employs several techniques to evade detection, such as disguising its malware as legitimate software.
For instance, it renames ransomware samples to mimic applications like OneDrive and VLC and places them in typical system directories.
Obfuscation and Disguise
The malware samples are often obfuscated using tools like Garble, making them harder to detect and analyze. Additionally, the group uses double extensions in phishing campaigns, making malicious files appear as harmless documents.
The activities of Head Mare highlight the evolving nature of cyber threats in the context of geopolitical conflicts.
By exploiting vulnerabilities like CVE-2023-38831, they demonstrate a sophisticated understanding of cyber warfare’s technical and psychological aspects.
Organizations in Russia and Belarus should prioritize patching vulnerabilities like CVE-2023-38831 and enhance their phishing detection capabilities.
Regular security audits and employee training on recognizing phishing attempts can also help mitigate the risk of such attacks.
As hacktivist groups continue to refine their tactics, the importance of robust cybersecurity measures cannot be overstated.
The case of Head Mare reminds us of the complex interplay between technology and international politics, where digital tools become weapons in broader conflicts.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial