TLDR:
- Head Mare hacktivist group exploits WinRAR vulnerability in attacks against Russia and Belarus.
- The group targets organizations in various sectors, encrypts devices, and demands ransom for data decryption.
A hacktivist group known as Head Mare has been linked to cyber attacks that exclusively target organizations located in Russia and Belarus. They exploit the WinRAR vulnerability to execute arbitrary code on systems, allowing for the delivery and disguise of malicious payloads more effectively. Operating since 2023, Head Mare attacks government, transportation, energy, manufacturing, and environment sectors, encrypting victims’ devices using LockBit and Babuk, and demanding ransom for data decryption. The group’s toolkit includes PhantomDL and PhantomCore, backdoors capable of delivering additional payloads and executing commands. They also distribute malware through phishing campaigns, using double extensions in business documents. Furthermore, Head Mare employs Sliver, an open-source C2 framework, and publicly available tools like rsockstun, ngrok, and Mimikatz for lateral movement and credential harvesting. Attack culminates in the deployment of LockBit or Babuk, followed by a ransom note demanding payment for a decryptor. Differentiating themselves through custom-made malware and exploiting new vulnerabilities, Head Mare poses a significant threat to organizations in the region.