The activist group Head Mare has utilized a flaw in WinRAR to breach and lock systems operating on Windows and Linux.
Operating since the early stages of the Russo-Ukrainian strife, this faction has primarily aimed at establishments in Russia and Belarus. Their strategies are marked by advanced methods that target causing extensive disruptions.
The Flaw: CVE-2023-38831
Per the Secure List report, the flaw exploited by Head Mare, known as CVE-2023-38831, is found in WinRAR, a widely used file compression tool.
This loophole enables malicious actors to run unauthorized code on a target’s system via crafted archive files. By leveraging this flaw, Head Mare can more efficiently distribute and disguise its harmful payloads.
How the Exploit Functions
Upon opening what appears to be a legitimate document within a compromised archive, the malevolent code is triggered, giving attackers entry to the system.
Verdicts with which our products detect PhantomDL samples: the malware is recognized, among other things, as an exploit for CVE-2023-38831
This tactic poses a risk as it relies on user engagement, making it challenging to discover through conventional security measures.
Head Mare’s Strategies and Instruments
Contrary to many activist groups, Head Mare utilizes a blend of publicly accessible software and tailor-made malware.
Their collection includes:
- LockBit and Babuk Ransomware: Employed for file encryption and ransom requests.
- PhantomDL and PhantomCore: Personalized malware for initial entry and exploitation.
- Sliver: An open-source command and control (C2) platform for administrating compromised systems.
Initial Entry and Endurance
Head Mare gains initial entry through phishing maneuvers, disseminating malevolent archives that exploit the WinRAR vulnerability. Once inside, they use diverse techniques to sustain presence, such as adding entries to the Windows registry and creating scheduled tasks.
Head Mare’s strikes have impacted assorted
industries, encompassing government bodies, transport, energy, manufacturing, and entertainment. Their primary aim seems to be disrupting systems and demanding ransoms rather than purely seeking financial gain.
The group showcases a public profile on social platforms, where it occasionally discloses info about its victims.
Differing from some activist groups, Head Mare also insists on ransoms for decrypting data, incorporating a monetary angle to its politically inspired offensives.
Examination of Assault Infrastructure
Head Mare’s advanced infrastructure deploys VPS/VDS servers as C2 focal points. They employ tools like ngrok and rsockstun for maneuvering, enabling traversal through private networks using compromised machines as intermediaries.
The faction’s C2 servers host a range of utilities utilized in various phases of their incursions. These encompass PHP shells for executing commands and PowerShell scripts for privileges escalation.
Head Mare employs numerous tactics to avert detection, like camouflaging their malware as legitimate software.
For instance, they rename ransomware samples to resemble applications such as OneDrive and VLC and position them in typical system directories.
Deception and Camouflage
The malware samples are commonly obscured using tools like Garble, heightening their difficulty in detection and analysis. Also, the group employs double extensions in phishing endeavors, concealing malevolent files as innocent documents.
The exploits of Head Mare underscore the evolving landscape of cyber risks amidst geopolitical clashes.
By exploiting vulnerabilities like CVE-2023-38831, they exhibit a sophisticated grasp of the technical and psychological aspects of cyber warfare.
Establishments in Russia and Belarus should give priority to resolving vulnerabilities like CVE-2023-38831 and boost their ability to detect phishing attempts.
Frequent security assessments and staff training on identifying phishing endeavors can also aid in lowering the susceptibility to such assaults.
As activist groups continue to refine their maneuvers, the significance of robust cybersecurity protocols cannot be overstressed.
The instance of Head Mare serves as a reminder of the intricate relationship between technology and global politics, where digital resources morph into weapons in larger confrontations.
The post Activist Group Leverages WinRAR Flaw to Lock Windows & Linux appeared first on Cyber Security News.