Home Hacks Head Mar Hacker Group Exploit CVE-2023-38831 Vulnerability in WinRAR

Head Mar Hacker Group Exploit CVE-2023-38831 Vulnerability in WinRAR

0
Head Mar Hacker Group Exploit CVE-2023-38831 Vulnerability in WinRAR

Head Mare, a hacktivist group targeting Russia and Belarus, leverages the WinRAR vulnerability CVE-2023-38831 to deliver malicious payloads, bypassing traditional defenses. 

The group, active on social media, claims responsibility for attacks on various sectors, including government, transport, energy, and production. 

Unlike other hacktivists focused solely on disruption, Head Mare also demands ransom for encrypted data, combining destructive and financially motivated tactics. 

Publication of hacktivist Head Mare on the social network X

Head Mare employs a primarily publicly available toolkit, including LockBit, Babuk, Sliver, and Mimikatz, leveraging the custom malware PhantomDL and PhantomCore for initial access, which are delivered via phishing emails containing WinRAR archives exploiting CVE-2023-38831. 

Once executed, PhantomDL and PhantomCore establish C2 communication and gather system information, including domain membership, using methods like cmd.exe and WinAPI functions.

PhantomDL Call to C2

Head Mare employs sophisticated persistence and evasion tactics.

Attackers leveraged PhantomCore to establish persistent system access through registry manipulation and scheduler task creation, often disguising malicious executables as legitimate system processes like svchost.exe. 

By mimicking legitimate software names and locations and obfuscating malware with Garble, the threat actors aimed to bypass detection, while phishing campaigns delivered obfuscated PhantomDL and PhantomCore payloads disguised as business documents with double extensions to deceive victims. 

Connecting PhantomCore to C2

They leverage the open-source Sliver C2 framework to maintain persistent control over compromised systems by executing commands, stealing data, and establishing covert communication channels by deploying obfuscated Sliver implants and utilizing VPS servers as command-and-control infrastructure. 

Additionally, attackers employ a toolkit including PowerShell scripts for privilege escalation, remote access tools like Meterpreter, and PHP shells to expand their capabilities, which facilitates a broad range of malicious activities. 

Contents of one of the C2 server directories

The attackers leverage rsockstun and ngrok to create covert communication channels, bypassing network restrictions, while rsockstun establishes encrypted SOCKS5 tunnels through proxies, enabling remote access and data exfiltration. 

By compromising a system, attackers employ tools like cmd, arp, and PowerShell to gather domain information, map network topology, and identify potential persistence mechanisms such as scheduled tasks, facilitating lateral movement and control within the network. 

The Head Mare attackers employed a multi-stage approach to compromise systems and encrypt data. Initially, Mimikatz and XenAllPasswordPro were used to harvest credentials from compromised machines. 

Babuk Sample Ransom Note

Subsequently, LockBit ransomware targeted Windows systems, while a custom-built 64-bit Babuk variant equipped with virtual machine destruction capabilities and encrypted ESXi environments leveraged standard Babuk encryption algorithms and file extensions.  

The analysis by Secure List indicates that the Head Mare group used a publicly leaked LockBit builder to create identical ransomware variants, deploying them under various names and encrypting files in multiple passes. 

The group also utilized custom malware, PhantomDL and PhantomCore, along with a recently exploited vulnerability for initial access that aligns with those of other Russian and Belarusian cybercrime groups, though the use of homegrown malware distinguishes Head Mare.

Also Read:

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here