Two identified menace exercise clusters codenamed Head Mare and Twelve have seemingly joined forces to focus on Russian entities, new findings from Kaspersky reveal.
“Head Mare relied closely on instruments beforehand related to Twelve. Moreover, Head Mare assaults utilized command-and-control (C2) servers completely linked to Twelve prior to those incidents,” the corporate mentioned. “This implies potential collaboration and joint campaigns between the 2 teams.”
Each Head Mare and Twelve had been beforehand documented by Kaspersky in September 2024, with the previous leveraging a now-patched vulnerability in WinRAR (CVE-2023-38831) to acquire preliminary entry and ship malware and in some circumstances, even deploy ransomware households like LockBit for Home windows and Babuk for Linux (ESXi) in change for a ransom.
Twelve, then again, has been noticed staging damaging assaults, benefiting from varied publicly out there instruments to encrypt victims’ knowledge and irrevocably destroy their infrastructure with a wiper to forestall restoration efforts.
Kaspersky’s newest evaluation exhibits Head Mare’s use of two new instruments, together with CobInt, a backdoor utilized by ExCobalt and Crypt Ghouls in assaults aimed toward Russian corporations up to now, in addition to a bespoke implant named PhantomJitter that is put in on servers for distant command execution.
The deployment of CobInt has additionally been noticed in assaults mounted by Twelve, with overlaps uncovered between the hacking crew and Crypt Ghouls, indicating some form of tactical connection between completely different teams at the moment concentrating on Russia.
Different preliminary entry pathways exploited by Head Mare embody the abuse of different identified safety flaws in Microsoft Trade Server (e.g., CVE-2021-26855 aka ProxyLogon), in addition to by way of phishing emails bearing rogue attachments and compromising contractors’ networks to infiltrate sufferer infrastructure, a way generally known as the trusted relationship assault.
“The attackers used ProxyLogon to execute a command to obtain and launch CobInt on the server,” Kaspersky mentioned, highlighting using an up to date persistence mechanism that eschews scheduled duties in favor of making new privileged native customers on a enterprise automation platform server. These accounts are then used to connect with the server by way of RDP to switch and execute instruments interactively.
In addition to assigning the malicious payloads names that mimic benign working system recordsdata (e.g., calc.exe or winuac.exe), the menace actors have been discovered to take away traces of their exercise by clearing occasion logs and use proxy and tunneling instruments like Gost and Cloudflared to hide community site visitors.
Among the different utilities used are –
- quser.exe, tasklist.exe, and netstat.exe for system reconnaissance
- fscan and SoftPerfect Community Scanner for native community reconnaissance
- ADRecon for gathering data from Energetic Listing
- Mimikatz, secretsdump, and ProcDump for credential harvesting
- RDP for lateral motion
- mRemoteNG, smbexec, wmiexec, PAExec, and PsExec for distant host communication
- Rclone for knowledge switch
The assaults culminate with the deployment of LockBit 3.0 and Babuk ransomware on compromised hosts, adopted by dropping a notice that urges victims to contact them on Telegram for decrypting their recordsdata.
“Head Mare is actively increasing its set of methods and instruments,” Kaspersky mentioned. “In latest assaults, they gained preliminary entry to the goal infrastructure by not solely utilizing phishing emails with exploits but additionally by compromising contractors. Head Mare is working with Twelve to launch assaults on state- and privately-controlled firms in Russia.”
The event comes as BI.ZONE linked the North Korea-linked menace actor generally known as ScarCruft (aka APT37, Reaper, Ricochet Chollima, and Squid Werewolf) to a phishing marketing campaign directed in opposition to an unnamed Russian industrial entity in December 2024 that delivered a malware loader accountable for deploying an unknown payload from a distant server.
The exercise, the Russian firm mentioned, carefully resembles one other marketing campaign dubbed SHROUDED#SLEEP that Securonix documented in October 2024 as resulting in the deployment of a backdoor known as VeilShell in intrusions concentrating on Cambodia and sure different Southeast Asian nations.
Final month, BI.ZONE additionally detailed continued cyber assaults staged by Bloody Wolf to ship NetSupport RAT as a part of a marketing campaign that has compromised greater than 400 techniques in Kazakhstan and Russia, marking a shift from STRRAT.