Cyble researchers have detected a new campaign targeting Russia by the hacktivist group Head Mare that uses a disguised LNK file to hide an executable.
The campaign is also noteworthy for its ability to download additional payloads – including ransomware – and escalate a compromise via specific commands and payloads, Cyble Research and Intelligence Labs (CRIL) researchers wrote in a blog post published today.
“The group’s ability to collect victim data and deploy additional payloads, including ransomware, highlights the ongoing threat it poses,” the Cyble researchers said.
Head Mare Emerges from War with Ukraine
Head Mare emerged following Russia’s invasion of Ukraine as one of “numerous hacktivist groups whose main goal is often not financial gain but causing as much damage as possible to companies on the opposing side of the conflict.,” Kaspersky researchers wrote in a blog post earlier this year.
Head Mare maintains a presence on X where it discusses its exploits.
The group’s latest campaign uses a ZIP archive that contains both a malicious LNK file and an executable. “The executable is cleverly disguised as an archive file to deceive users and facilitate its malicious operations,” Cyble said.
The LNK file contains commands to extract and execute the PhantomCore backdoor, which has switched from Golang to C++-compiled binaries and also includes the Boost.Beast library to communicate with the command-and-control (C&C) server.
PhantomCore collects the victim’s information before deploying payloads – which often includes LockBit and Babuk ransomware – or executing additional commands on the compromised system.
Head Mare has targeted Russia and Belarus by exploiting vulnerabilities such as the CVE-2023-38831 WinRAR vulnerability for initial access and to deliver malicious payloads. The group differs from other hacktivists in that it often demands a ransom from victims.
Also read: New Russian Threat Group Z-Pentest Targets Energy System Controls
Head Mare’s Latest Campaign
In the latest campaign, Cyble discovered a ZIP archive named “Doc.Zip” that contained a malicious LNK file, an executable camouflaged as a “.zip” file extension (“Doc.zip”) that was identified as PhantomCore, and a corrupted lure PDF.
The ZIP archive “Doc.zip,” downloaded from the file-sharing website filetransfer[.]io/data-package/AiveGg6u/download, “is suspected to have been delivered to the victim via a spam email,” Cyble said, likely with a social engineering theme designed to appear legitimate. All the files within the archive are in Russian, Cyble noted.
Upon execution, the LNK file executes a PowerShell command that extracts the “Doc.Zip” archive into the “C:/ProgramData” directory and executes the file “Doc.zip” using cmd.exe.
After executing, the Doc.zip file sets both the input and output code pages to OEM Russian (Cyrillic) using the SetConsoleCP and SetConsoleOutputCP Win32 APIs. It also sets the locale language of the victim machine to “ru_RU.UTF-8” to configure the system to use the Russian locale with UTF-8 encoding, Cyble said.
The malware then attempts to connect to the C&C server at 45.10.247[.]152 using the User-Agent string “Boost.Beast/353”. After a successful connection is established, the malware gathers the victim’s information, such as the public IP address, Windows version, username, and other details, and sends them to a C&C server to await further instructions.
“Moreover, the TA can execute commands on the victim’s machine and download additional payloads from the C&C server,” Cyble said. “This enables them to escalate the compromise, conduct further malicious activities, or expand the attack by deploying specific commands and payloads.”
The full Cyble blog contains MITRE ATT&CK techniques and 24 Indicators of Compromise (IoCs), and the researchers also shared Yara and Sigma rules on GitHub to detect the campaign.
