Head Mare: adventures of a unicorn in Russia and Belarus
Sept. 2, 2024, 9:54 p.m.
Tags
External References
Description
Head Mare is a hacktivist group targeting companies in Russia and Belarus since 2023. They use phishing campaigns exploiting the CVE-2023-38831 vulnerability in WinRAR for initial access. Their toolkit includes custom malware like PhantomDL and PhantomCore, as well as publicly available tools like Sliver, Mimikatz, and ransomware variants LockBit and Babuk. The group's goal appears to be causing maximum damage to Russian and Belarusian organizations, though they also demand ransoms. Head Mare uses various techniques for persistence, detection evasion, credential harvesting, and network exploration. Their attacks have impacted government, transportation, energy, manufacturing, and entertainment sectors.
Date
Published: Sept. 2, 2024, 8:52 p.m.
Created: Sept. 2, 2024, 8:52 p.m.
Modified: Sept. 2, 2024, 9:54 p.m.
Indicators
eda18761f3f6822c13cd7beae5af2ed77a9b4f1dc7a71df6ab715e7949b8c78b
dc47d49d63737d12d92fbc74907cd3277739c6c4f00aaa7c7eb561e7342ed65e
dc3e4a549e3b95614dee580f73a63d75272d0fba8ca1ad6e93d99e44b9f95caa
af5a650bf2b3a211c39dcdcab5f6a5e0f3af72e25252e6c0a66595f4b4377f0f
b8447ef3f429dae0ac69c38c18e8bdbfd82170e396200579b6b0eff4c8b9a984
9e9fabba5790d4843d2e5b027ba7af148b9f6e7fcde3fb6bddc661dba9ccb836
9f5b780c3bd739920716397547a8c0e152f51976229836e7442cf7f83acfdc69
9d056138cfb8ff80b0aa53f187d5a576705bd7954d36066ebbbf34a44326c546
9b005340e716c6812a12396bcd4624b8cfb06835f88479fa6cfde6861015c9e0
6a889f52af3d94e3f340afe63615af4176ab9b0b248490274b10f96ba4edb263
5d924a9ab2774120c4d45a386272287997fd7e6708be47fb93a4cad271f32a03
664b68f2d9f553cc1acfb370bcfa2ccf5de78a11697365cf8646704646e89a38
5a3c5c165d0070304fe2d2a5371f5f6fdd1b5c964ea4f9d41a672382991499c9
33786d781d9c492e17c56dc5fae5350b94e9722830d697c3cbd74098ea891e5a
4c218953296131d0a8e67d70aeea8fa5ae04fd52f43f8f917145f2ee19f30271
311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86
2f9b3c29abd674ed8c3411268c35e96b4f5a30fabe1ae2e8765a82291db8f921
2f1ee997a75f17303acc1d5a796c26f939eb63871271f0ad9761cdbd592e7569
2d3db0ff10edd28ee75b7cf39fcf42e9dd51a6867eb5962e8dc1a51d6a5bac50
22898920df011f48f81e27546fece06a4d84bce9cde9f8099aa6a067513191f3
201f8dd57bce6fd70a0e1242b07a17f489c5f873278475af2eaf82a751c24fa8
08dc76d561ba2f707da534c455495a13b52f65427636c771d445de9b10293470
015a6855e016e07ee1525bfb6510050443ad5482039143f4986c0e2ab8638343
053ba35452ee2ea5dca9df9e337a3f307374462077a731e53e6cc62eb82517bd
92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50
94.131.113.79
91.219.151.47
5.252.176.77
45.87.246.169
5.252.178.92
45.156.21.178
45.87.245.30
45.11.27.232
194.87.210.134
188.127.237.46
188.127.227.201
185.80.91.107
5.252.176.47
http://94.131.113.79/splhost.exe
http://94.131.113.79/resolver.exe
http://5.252.176.77/sysm.elf
http://5.252.176.77/soft_knitting.exe
http://5.252.176.77/sherlock.ps1
http://5.252.176.77/servicedll.rar
http://5.252.176.77/reverse.exe
http://5.252.176.77/ngrok.exe
http://5.252.176.77/legislative_cousin.exe
http://45.156.21.178/dlldriver.exe
http://194.87.210.134/gringo/srvhost.exe
http://194.87.210.134/gringo/splhost.exe
http://188.127.237.46/winlog.exe
http://188.127.237.46/servicedll.exe
Attack Patterns
Vasa Locker
Babyk
Babuk - S0638
PhantomCore
PhantomDL
LockBit
Head Mare
T1490
T1018
T1547.001
T1087
T1021
T1486
T1016
T1082
T1057
T1083
T1036
T1027
T1053
T1566
T1078
T1003
T1059
CVE-2023-38831
Additional Informations
Energy
Transportation
Government
Manufacturing
Belarus
Russian Federation