Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Head Mare: adventures of a unicorn in Russia and Belarus

Sept. 2, 2024, 9:54 p.m.

Description

Head Mare is a hacktivist group targeting companies in Russia and Belarus since 2023. They use phishing campaigns exploiting the CVE-2023-38831 vulnerability in WinRAR for initial access. Their toolkit includes custom malware like PhantomDL and PhantomCore, as well as publicly available tools like Sliver, Mimikatz, and ransomware variants LockBit and Babuk. The group's goal appears to be causing maximum damage to Russian and Belarusian organizations, though they also demand ransoms. Head Mare uses various techniques for persistence, detection evasion, credential harvesting, and network exploration. Their attacks have impacted government, transportation, energy, manufacturing, and entertainment sectors.

Date

Published: Sept. 2, 2024, 8:52 p.m.

Created: Sept. 2, 2024, 8:52 p.m.

Modified: Sept. 2, 2024, 9:54 p.m.

Indicators

eda18761f3f6822c13cd7beae5af2ed77a9b4f1dc7a71df6ab715e7949b8c78b

dc47d49d63737d12d92fbc74907cd3277739c6c4f00aaa7c7eb561e7342ed65e

dc3e4a549e3b95614dee580f73a63d75272d0fba8ca1ad6e93d99e44b9f95caa

af5a650bf2b3a211c39dcdcab5f6a5e0f3af72e25252e6c0a66595f4b4377f0f

b8447ef3f429dae0ac69c38c18e8bdbfd82170e396200579b6b0eff4c8b9a984

9e9fabba5790d4843d2e5b027ba7af148b9f6e7fcde3fb6bddc661dba9ccb836

9f5b780c3bd739920716397547a8c0e152f51976229836e7442cf7f83acfdc69

9d056138cfb8ff80b0aa53f187d5a576705bd7954d36066ebbbf34a44326c546

9b005340e716c6812a12396bcd4624b8cfb06835f88479fa6cfde6861015c9e0

6a889f52af3d94e3f340afe63615af4176ab9b0b248490274b10f96ba4edb263

5d924a9ab2774120c4d45a386272287997fd7e6708be47fb93a4cad271f32a03

664b68f2d9f553cc1acfb370bcfa2ccf5de78a11697365cf8646704646e89a38

5a3c5c165d0070304fe2d2a5371f5f6fdd1b5c964ea4f9d41a672382991499c9

33786d781d9c492e17c56dc5fae5350b94e9722830d697c3cbd74098ea891e5a

4c218953296131d0a8e67d70aeea8fa5ae04fd52f43f8f917145f2ee19f30271

311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86

2f9b3c29abd674ed8c3411268c35e96b4f5a30fabe1ae2e8765a82291db8f921

2f1ee997a75f17303acc1d5a796c26f939eb63871271f0ad9761cdbd592e7569

2d3db0ff10edd28ee75b7cf39fcf42e9dd51a6867eb5962e8dc1a51d6a5bac50

22898920df011f48f81e27546fece06a4d84bce9cde9f8099aa6a067513191f3

201f8dd57bce6fd70a0e1242b07a17f489c5f873278475af2eaf82a751c24fa8

08dc76d561ba2f707da534c455495a13b52f65427636c771d445de9b10293470

015a6855e016e07ee1525bfb6510050443ad5482039143f4986c0e2ab8638343

053ba35452ee2ea5dca9df9e337a3f307374462077a731e53e6cc62eb82517bd

92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50

94.131.113.79

91.219.151.47

5.252.176.77

45.87.246.169

5.252.178.92

45.156.21.178

45.87.245.30

45.11.27.232

194.87.210.134

188.127.237.46

188.127.227.201

185.80.91.107

5.252.176.47

http://94.131.113.79/splhost.exe

http://94.131.113.79/resolver.exe

http://5.252.176.77/sysm.elf

http://5.252.176.77/soft_knitting.exe

http://5.252.176.77/sherlock.ps1

http://5.252.176.77/servicedll.rar

http://5.252.176.77/reverse.exe

http://5.252.176.77/ngrok.exe

http://5.252.176.77/legislative_cousin.exe

http://45.156.21.178/dlldriver.exe

http://194.87.210.134/gringo/srvhost.exe

http://194.87.210.134/gringo/splhost.exe

http://188.127.237.46/winlog.exe

http://188.127.237.46/servicedll.exe

Attack Patterns

Vasa Locker

Babyk

Babuk - S0638

PhantomCore

PhantomDL

LockBit

Head Mare

T1490

T1018

T1547.001

T1087

T1021

T1486

T1016

T1082

T1057

T1083

T1036

T1027

T1053

T1566

T1078

T1003

T1059

CVE-2023-38831

Additional Informations

Energy

Transportation

Government

Manufacturing

Belarus

Russian Federation