Manufacturing, government, transportation, environment, and energy organizations in Russia and Belarus have been subjected to phishing attacks by the hacktivist operation Head Mare since last year, The Hacker News reports.
After obtaining initial network access through the exploitation of the VMware vulnerability, tracked as CVE-2023-38831, Head Mare proceeds with the deployment of the PhantomDL and PhantomCore backdoors that facilitate additional payload delivery, according to a Kaspersky analysis. Aside from establishing scheduled tasks and registry values to conceal malicious activity, attackers also leveraged the open-source command-and-control framework Sliver and the Mimikatz, ngrok, and rsockstun tools for credential harvesting, lateral movement, and network discovery operations before ultimately launching the LockBit and Babuk ransomware strains against Windows and Linux systems, respectively, Kaspersky researchers said. "The tactics, methods, procedures, and tools used by the Head Mare group are generally similar to those of other groups associated with clusters targeting organizations in Russia and Belarus within the context of the Russo-Ukrainian conflict," said researchers.
