Head Mare: adventures of a unicorn in Russia and Belarus
Sept. 2, 2024, 9:54 p.m.
Description
Head Mare is a hacktivist group targeting companies in Russia and Belarus since 2023. They use phishing campaigns exploiting the CVE-2023-38831 vulnerability in WinRAR for initial access. Their toolkit includes custom malware like PhantomDL and PhantomCore, as well as publicly available tools like Sliver, Mimikatz, and ransomware variants LockBit and Babuk. The group's goal appears to be causing maximum damage to Russian and Belarusian organizations, though they also demand ransoms. Head Mare uses various techniques for persistence, detection evasion, credential harvesting, and network exploration. Their attacks have impacted government, transportation, energy, manufacturing, and entertainment sectors.
Tags
Date
- Created: Sept. 2, 2024, 8:52 p.m.
- Published: Sept. 2, 2024, 8:52 p.m.
- Modified: Sept. 2, 2024, 9:54 p.m.
Indicators
- eda18761f3f6822c13cd7beae5af2ed77a9b4f1dc7a71df6ab715e7949b8c78b
- dc47d49d63737d12d92fbc74907cd3277739c6c4f00aaa7c7eb561e7342ed65e
- dc3e4a549e3b95614dee580f73a63d75272d0fba8ca1ad6e93d99e44b9f95caa
- af5a650bf2b3a211c39dcdcab5f6a5e0f3af72e25252e6c0a66595f4b4377f0f
- b8447ef3f429dae0ac69c38c18e8bdbfd82170e396200579b6b0eff4c8b9a984
- 9e9fabba5790d4843d2e5b027ba7af148b9f6e7fcde3fb6bddc661dba9ccb836
- 9f5b780c3bd739920716397547a8c0e152f51976229836e7442cf7f83acfdc69
- 9d056138cfb8ff80b0aa53f187d5a576705bd7954d36066ebbbf34a44326c546
- 9b005340e716c6812a12396bcd4624b8cfb06835f88479fa6cfde6861015c9e0
- 6a889f52af3d94e3f340afe63615af4176ab9b0b248490274b10f96ba4edb263
- 5d924a9ab2774120c4d45a386272287997fd7e6708be47fb93a4cad271f32a03
- 664b68f2d9f553cc1acfb370bcfa2ccf5de78a11697365cf8646704646e89a38
- 5a3c5c165d0070304fe2d2a5371f5f6fdd1b5c964ea4f9d41a672382991499c9
- 33786d781d9c492e17c56dc5fae5350b94e9722830d697c3cbd74098ea891e5a
- 4c218953296131d0a8e67d70aeea8fa5ae04fd52f43f8f917145f2ee19f30271
- 311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86
- 2f9b3c29abd674ed8c3411268c35e96b4f5a30fabe1ae2e8765a82291db8f921
- 2f1ee997a75f17303acc1d5a796c26f939eb63871271f0ad9761cdbd592e7569
- 2d3db0ff10edd28ee75b7cf39fcf42e9dd51a6867eb5962e8dc1a51d6a5bac50
- 22898920df011f48f81e27546fece06a4d84bce9cde9f8099aa6a067513191f3
- 201f8dd57bce6fd70a0e1242b07a17f489c5f873278475af2eaf82a751c24fa8
- 08dc76d561ba2f707da534c455495a13b52f65427636c771d445de9b10293470
- 015a6855e016e07ee1525bfb6510050443ad5482039143f4986c0e2ab8638343
- 053ba35452ee2ea5dca9df9e337a3f307374462077a731e53e6cc62eb82517bd
- 92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50
- 94.131.113.79
- 91.219.151.47
- 5.252.176.77
- 45.87.246.169
- 5.252.178.92
- 45.156.21.178
- 45.87.245.30
- 45.11.27.232
- 194.87.210.134
- 188.127.237.46
- 188.127.227.201
- 185.80.91.107
- 5.252.176.47
- http://94.131.113.79/splhost.exe
- http://94.131.113.79/resolver.exe
- http://5.252.176.77/sysm.elf
- http://5.252.176.77/soft_knitting.exe
- http://5.252.176.77/sherlock.ps1
- http://5.252.176.77/servicedll.rar
- http://5.252.176.77/reverse.exe
- http://5.252.176.77/ngrok.exe
- http://5.252.176.77/legislative_cousin.exe
- http://45.156.21.178/dlldriver.exe
- http://194.87.210.134/gringo/srvhost.exe
- http://194.87.210.134/gringo/splhost.exe
- http://188.127.237.46/winlog.exe
- http://188.127.237.46/servicedll.exe
Attack Patterns
- Vasa Locker
- Babyk
- Babuk - S0638
- PhantomCore
- PhantomDL
- LockBit
- Head Mare
- T1490
- T1018
- T1547.001
- T1087
- T1021
- T1486
- T1016
- T1082
- T1057
- T1083
- T1036
- T1027
- T1053
- T1566
- T1078
- T1003
- T1059
- CVE-2023-38831
Additional Informations
- Energy
- Transportation
- Government
- Manufacturing
- Belarus
- Russian Federation