Hacktivist Group Exploit WinRAR Vulnerability to Encrypt Windows & Linux


The hacktivist group Head Mare has leveraged a vulnerability in WinRAR to infiltrate and encrypt systems running on Windows and Linux.

This group, active since the onset of the Russo-Ukrainian conflict, has primarily targeted organizations in Russia and Belarus. Their attacks are characterized by sophisticated techniques that focus on causing maximum disruption.

EHA

The Vulnerability: CVE-2023-38831

According to the Secure List report, the vulnerability exploited by Head Mare, identified as CVE-2023-38831, resides in WinRAR, a popular file archiver utility.

Head Mare post on X
Head Mare post on X

This flaw allows attackers to execute arbitrary code on a victim’s system through specially crafted archive files. By exploiting this vulnerability, Head Mare can more effectively deliver and conceal its malicious payloads.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

How the Exploit Works

When a user attempts to open a seemingly legitimate document within a compromised archive, the malicious code is executed, granting the attackers access to the system.

Verdicts with which our products detect PhantomDL samples: the malware is recognized, among other things, as an exploit for CVE-2023-38831
Verdicts with which our products detect PhantomDL samples: the malware is recognized, among other things, as an exploit for CVE-2023-38831

Verdicts with which our products detect PhantomDL samples: the malware is recognized, among other things, as an exploit for CVE-2023-38831

This method of attack is hazardous because it relies on user interaction, making it harder to detect through traditional security measures.

Unlike many hacktivist groups, Head Mare employs a mix of publicly available software and custom malware.

Their toolkit includes:

  • LockBit and Babuk Ransomware: Used to encrypt files and demand ransoms.
  • PhantomDL and PhantomCore: Custom malware used for initial access and exploitation.
  • Sliver: An open-source command and control (C2) framework for managing compromised systems.

Initial Access and Persistence

Head Mare gains initial access through phishing campaigns, distributing malicious archives that exploit the WinRAR vulnerability. Once inside, they use various methods to maintain persistence, such as adding entries to the Windows registry and creating scheduled tasks.

Head Mare’s attacks have affected various

industries, including government institutions, transportation, energy, manufacturing, and entertainment. Their primary objective appears to be disrupting systems and demanding ransoms rather than solely financial gain.

The group maintains a public presence on social media, where it occasionally posts information about its victims.

Unlike some hacktivist groups, Head Mare also demands ransoms for data decryption, adding a financial dimension to its politically motivated attacks.

Analysis of Attack Infrastructure

Head Mare’s sophisticated infrastructure utilizes VPS/VDS servers as C2 hubs. They employ tools like ngrok and rsockstun for pivoting, allowing them to navigate private networks using compromised machines as intermediaries.

The group’s C2 servers host various utilities used in different stages of their attacks. These include PHP shells for executing commands and PowerShell scripts for privilege escalation.

PhantomDL communication with C2
PhantomDL communication with C2
PhantomCore C2 connection
PhantomCore C2 connection

Head Mare employs several techniques to evade detection, such as disguising its malware as legitimate software.

For instance, it renames ransomware samples to mimic applications like OneDrive and VLC and places them in typical system directories.

Obfuscation and Disguise

The malware samples are often obfuscated using tools like Garble, making them harder to detect and analyze. Additionally, the group uses double extensions in phishing campaigns, making malicious files appear as harmless documents.

Analysis of Head Mare’s C2 Infrastructure

The activities of Head Mare highlight the evolving nature of cyber threats in the context of geopolitical conflicts.

By exploiting vulnerabilities like CVE-2023-38831, they demonstrate a sophisticated understanding of cyber warfare’s technical and psychological aspects.

Organizations in Russia and Belarus should prioritize patching vulnerabilities like CVE-2023-38831 and enhance their phishing detection capabilities.

Regular security audits and employee training on recognizing phishing attempts can also help mitigate the risk of such attacks.

As hacktivist groups continue to refine their tactics, the importance of robust cybersecurity measures cannot be overstated.

The case of Head Mare reminds us of the complex interplay between technology and international politics, where digital tools become weapons in broader conflicts.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial



Source link