Today > 8 Critical | 28 High | 32 Medium vulnerabilities   -   You can now download lists of IOCs here!

Intensifies Attacks On Russia With PhantomCore

Dec. 11, 2024, 11:04 a.m.

Tags
backdoor
apt
ransomware
russia
lockbit
CVE-2023-38831
babuk
phantomcore
2024-12-11
hacktivist
boost.beast
External References
Description

The Head Mare hacktivist group has escalated its campaign against Russian targets using the PhantomCore backdoor. The group employs deceptive ZIP archives containing malicious LNK files and executables disguised as archive files to deploy PhantomCore. This C++-compiled backdoor, which replaces earlier GoLang versions, incorporates the Boost.Beast library for C&C communication. PhantomCore gathers victim information and awaits further commands from the C&C server. The infection chain involves PowerShell commands to extract and execute the malware. Head Mare's campaign spans various industries and may deploy ransomware like LockBit and Babuk. The group's evolving tactics and ability to collect data and deploy additional payloads highlight the ongoing threat to Russian organizations.

Date

Published: Dec. 11, 2024, 2:51 a.m.

Created: Dec. 11, 2024, 2:51 a.m.

Modified: Dec. 11, 2024, 11:04 a.m.

Indicators

dd49fd0e614ac3f6f89bae7b7a6aa9cdab3b338d2a8d11a11a774ecc9d287d6f

9df6afb2afbd903289f3b4794be4768214c223a3024a90f954ae6d2bb093bea3

8aad7f80f0120d1455320489ff1f807222c02c8703bd46250dd7c3868164ab70

6ac2d57d066ef791b906c3b4c6b5e5c54081d6657af459115eb6abb1a9d1085d

57848d222cfbf05309d7684123128f9a2bffd173f48aa3217590f79612f4c773

44b1f97e1bbdd56afeb1efd477aa4e0ecaa79645032e44c7783f997f377d749f

2dccb526de9a17a07e39bdedc54fbd66288277f05fb45c7cba56f88df00e86a7

1a2d1654d8ff10f200c47015d96d2fcb1d4d40ee027beb55bb46199c11b810cc

0f578e437f5c09fb81059f4b5e6ee0b93cfc0cdf8b31a29abc8396b6137d10c3

4b62da75898d1f685b675e7cbaec24472eb7162474d2fd66f3678fb86322ef0a

c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0

a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647

45.87.245.53

45.10.247.152

185.80.91.84

http://45.87.245.53/command

http://45.87.245.53/connect

http://45.87.245.53/check

http://45.87.245.53/init

http://185.80.91.84/init

http://185.80.91.84/check

http://185.80.91.84/connect

http://185.80.91.84/command

http://45.10.247.152/command

http://45.10.247.152/connect

http://45.10.247.152/check

http://45.10.247.152/init

https://filetransfer.io/data-package/AiveGg6u/download

https://city-tuning.ru/collection/srvhost.exe

city-tuning.ru

Download all indicators here!

Attack Patterns

Vasa Locker

Babyk

Babuk - S0638

PhantomCore

LockBit

Head Mare

T1059.003

T1059.001

T1071.001

T1106

T1082

T1566

CVE-2023-38831

Additional Informations

Entertainment

Energy

Transportation

Government

Manufacturing

Belarus

Russian Federation