Kaspersky’s new findings say that two known threat activity cluster code name head Mare and 12 people are likely to join forces to target Russian entities.
“Headmare previously relied heavily on tools associated with 12. Furthermore, the Headmare attacks utilized a command and control (C2) server linked to 12 before these incidents,” the company said. “This suggests potential collaboration and joint campaigns between the two groups.”
Both Headmare and the 12 people had previously been recorded by Kaspersky in September 2024. The former was taking advantage of a vulnerability currently patched in Winrar (CVE-2023-38831) to obtain initial access, provide malware, and in some cases deploy a ransomware family for the Lands.
Meanwhile, the 12 are observed by staging destructive attacks, utilizing a variety of publicly available tools to encrypt victim data, irreparably destroy infrastructure with wipers, preventing recovery efforts.
According to Kaspersky’s latest analysis, Head Mare uses two new tools, including a backdoor used by Excobalt and Crypt Ghouls in attacks targeting Russian companies in the past, and an implant named Phantomjitter, which was installed on a server to execute remote commands.
The Covint development has also been observed in the attacks of 12 people where overlaps were discovered between the hacking crew and the cryptoghoul, indicating some tactical connection between different groups currently targeting Russia.
Other initial access routes that Headmail uses include abuse of other known security flaws in Microsoft Exchange Server (e.g. CVE-2021-26855, also known as Proxylogon) and breaching the network of contractors that breach the victim’s infrastructure by breaching the fraudulent attachments and the network of contractors.
“Attackers use Proxylogon to run commands to download and launch Cobint on the server,” Kaspersky said, highlighting the use of an updated persistence mechanism that avoids scheduled tasks in favor of creating new privileged local users on the Business Automation Platform server. Use these accounts to connect to the server via RDP to interactively transfer and run the tools.
In addition to assigning malicious payload names that mimic benign operating system files (for example, calc.exe or winuac.exe), it is known that threat actors clear the event log and remove traces of activity by using proxy and tunneling tools such as GOST and CloudFlared to hide network traffic.
Some of the other utilities used are
Data Transfer Register RDP to register RDP RDP RDP for Credentials RDP for RDP RDP for Collection of Active Directory Mimikatz, SecretSdump, and Procdump information for QUSER.EXE, TASKLIST.EXE, and NETSTAT.EXE System Recon FSCAN and SOFTPERT Network Scanner
The attack culminates in the deployment of Lockbit 3.0 and Babuk ransomware on the compromised host, then deletes a note that encourages the victim to contact them via Telegram to decrypt the file.
“Headmare is actively expanding its set of techniques and tools,” Kaspersky said. “The recent attacks have gained early access to target infrastructure by breaching contractors as well as using phishing emails with exploits. Headmare is working with 12 to launch an attack on Russian states and private companies.”
The development provided Bi.zone linked North Korea-related threat actors known as Scarcruft (aka Apt37, Ricochet Chollima, and Squid Werewolf) to their phishing campaign in December 2024, providing a malware loader that deploys unknown payloads from remote servers.
The activity is very similar to another campaign called Shrouded Steek, documented by SecuroNix in October 2024, which it says will lead to the deployment of backdoors called veilshells in invasions targeting Cambodia and possibly other Southeast Asian countries.
Last month, Bi.Zone also detailed the ongoing cyberattacks staged by Bloody Wolf, offering Netsupport Rat as part of a campaign that compromised Kazakhstan and more than 400 Russian systems, indicating its transition from Strrat.
Source link
