Hacktivists target Russian organizations using WinRAR vulnerability

The group disguised its activity as tasks related to Microsoft software

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Analysis has revealed that hacking group ‘Head Mare’ exclusively targets companies in Russia and Belarus. The group is part of a trend of cyber organizations which have emerged in the context of the Russian war in Ukraine, and who seem to be focused on inflicting the most damage, rather than financial incentives.

Head Mare are reported to be using the most up to date initial access techniques when compared to other groups. The organization is said to have carried out attacks on nine victims across various industries, such as government agencies, energy, transportation, manufacturing, and entertainment.

The group used X (formerly Twitter) to post the details of the data stolen from its victims - along with organization names, administrative codes, and screenshots of desktops. Ostensibly, the intention of the group was to cause maximum damage, but it did also demand a ransom for data encryption.

The toolkit

To gain initial access, investigators found that Head Mare used malicious PhantomDL and PhantomCore samples. A phishing campaign was sent out which, when opened by the user, also opened the disguised document, triggering the execution of the malicious file. The group exploits the well knownCVE-2023-38831 vulnerability in WinRAR, used to hide malware in archived files.

The custom made malware PhantomCore and PhantomDL is used to infiltrate the device of the target. The hackers encrypt the devices with Lockbit or Babuk, and deliver a ransom for the data encryption.

This campaign is one among many, as the digital sphere has served as the arena for a large portion of Russia’s war in Ukraine, with Ukrainian allieshit with cyber attacksfrom Russian backed threat actors, as well as targets in Ukraine itself.

ViaSecureList

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

More from TechRadar Pro

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

AMD just outsold Intel in the data center space for the first time ever

The UK government wants to help businesses make trustworthy AI products

Apple MacBook Pro 14-inch M4 (2024) review: one of the best Pro laptops around just got better