Summary:
Cyble Research and Intelligence Labs (CRIL) has uncovered a campaign by the hacktivist group Head Mare targeting Russian organizations using the PhantomCore backdoor. This campaign employs social engineering tactics and a ZIP archive containing a malicious LNK file and an executable disguised as an archive. PhantomCore, now compiled in C++, collects victim information and can deploy ransomware payloads. Organizations are urged to enhance their security measures against such threats.
#HeadMare #PhantomCore #CyberThreats
Cyble Research and Intelligence Labs (CRIL) has uncovered a campaign by the hacktivist group Head Mare targeting Russian organizations using the PhantomCore backdoor. This campaign employs social engineering tactics and a ZIP archive containing a malicious LNK file and an executable disguised as an archive. PhantomCore, now compiled in C++, collects victim information and can deploy ransomware payloads. Organizations are urged to enhance their security measures against such threats.
#HeadMare #PhantomCore #CyberThreats
Keypoints:
CRIL identified a campaign by the Head Mare group targeting Russians.
The campaign uses a ZIP archive containing a malicious LNK file and an executable disguised as an archive.
PhantomCore is a backdoor used by Head Mare, active since 2023.
The latest campaign employs C++-compiled PhantomCore binaries instead of GoLang-compiled ones.
PhantomCore collects victim information, including public IP addresses, before executing further commands.
Head Mare has a history of deploying ransomware like LockBit and Babuk.
The group exploits vulnerabilities, such as CVE-2023-38831 in WinRAR, for initial access.
Targets include various industries in Russia and Belarus, with a focus on causing damage rather than financial gain.
Recommendations include avoiding suspicious email attachments and ensuring software is up to date.
MITRE Techniques:
Phishing (T1566): ZIP archives might be sent through phishing email to the target users.
Command and Scripting Interpreter: PowerShell (T1059.001): PowerShell is used to extract the archive file.
Windows Command Shell (T1059.003): Cmd.exe is used to execute commands through PIPE, start command.
Native API (T1106): SetConsoleCP, SetConsoleOutputCP, and other Win32 APIs to configure locale.
System Information Discovery (T1082): Collects victim details, including OS version, computer name, username, and domain details.
Application Layer Protocol: Web Protocols (T1071.001): Communicates with the C&C server over HTTP using the “Boost.Beast” library.
IoC:
[SHA-256] 6ac2d57d066ef791b906c3b4c6b5e5c54081d6657af459115eb6abb1a9d1085d
[SHA-256] 0f578e437f5c09fb81059f4b5e6ee0b93cfc0cdf8b31a29abc8396b6137d10c3
[SHA-256] dd49fd0e614ac3f6f89bae7b7a6aa9cdab3b338d2a8d11a11a774ecc9d287d6f
[SHA-256] 57848d222cfbf05309d7684123128f9a2bffd173f48aa3217590f79612f4c773
[SHA-256] 4b62da75898d1f685b675e7cbaec24472eb7162474d2fd66f3678fb86322ef0a
[SHA-256] 44b1f97e1bbdd56afeb1efd477aa4e0ecaa79645032e44c7783f997f377d749f
[SHA-256] 2dccb526de9a17a07e39bdedc54fbd66288277f05fb45c7cba56f88df00e86a7
[SHA-256] 1a2d1654d8ff10f200c47015d96d2fcb1d4d40ee027beb55bb46199c11b810cc
[SHA-256] 8aad7f80f0120d1455320489ff1f807222c02c8703bd46250dd7c3868164ab70
[SHA-256] 9df6afb2afbd903289f3b4794be4768214c223a3024a90f954ae6d2bb093bea3
[URL] hxxps://city-tuning[.]ru/collection/srvhost.exe
[URL] hxxps://filetransfer[.]io/data-package/AiveGg6u/download
[URL] hxxp://45.10.247[.]152/init
[URL] hxxp://45.10.247[.]152/check
[URL] hxxp://45.10.247[.]152/connect
[URL] hxxp://45.10.247[.]152/command
[URL] hxxp://185.80.91[.]84/command
[URL] hxxp://185.80.91[.]84/connect
[URL] hxxp://185.80.91[.]84/check
[URL] hxxp://185.80.91[.]84/init
[URL] hxxp://45.87.245[.]53/init
[URL] hxxp://45.87.245[.]53/check
[URL] hxxp://45.87.245[.]53/connect
[URL] hxxp://45.87.245[.]53/command
Full Research: https://cyble.com/blog/head-mare-deploys-phantomcore-against-russia/