According to recent findings by Kaspersky, two known threat activity clusters, codenamed Head Mare and Twelve, have reportedly joined forces to target Russian entities.
Kaspersky reports that “Head Mare relied heavily on tools previously associated with Twelve. Additionally, Head Mare attacks utilized command-and-control (C2) servers exclusively linked to Twelve prior to these incidents,” indicating potential collaboration and joint campaigns between the two groups.
Head Mare and Twelve were previously documented by Kaspersky in September 2024. Head Mare has been known to leverage a now-patched vulnerability in WinRAR (CVE-2023-38831) to gain initial access and deliver malware, and in some cases, even deploy ransomware families like LockBit for Windows and Babuk for Linux (ESXi) in exchange for a ransom.
On the other hand, Twelve has been observed staging destructive attacks, utilizing various publicly available tools to encrypt victims’ data and irreversibly destroy their infrastructure with a wiper to prevent recovery efforts.
Kaspersky’s latest analysis reveals that Head Mare has started using two new tools, including CobInt, a backdoor used by ExCobalt and Crypt Ghouls in attacks aimed at Russian firms in the past, as well as a bespoke implant named PhantomJitter that’s installed on servers for remote command execution.
The deployment of CobInt has also been observed in attacks mounted by Twelve, with overlaps uncovered between the hacking crew and Crypt Ghouls, indicating some kind of tactical connection between different groups currently targeting Russia.
Other initial access pathways exploited by Head Mare include the abuse of other known security flaws in Microsoft Exchange Server (e.g., CVE-2021-26855 aka ProxyLogon), as well as via phishing emails bearing rogue attachments and compromising contractors’ networks to infiltrate victim infrastructure, a technique known as the trusted relationship attack.
Kaspersky noted, “The attackers used ProxyLogon to execute a command to download and launch CobInt on the server,” highlighting the use of an updated persistence mechanism that eschews scheduled tasks in favor of creating new privileged local users on a business automation platform server.
The threat actors have been found to assign malicious payloads names that mimic benign operating system files and remove traces of their activity by clearing event logs. They also use proxy and tunneling tools like Gost and Cloudflared to conceal network traffic.
Some of the utilities used by the threat actors include:
- quser.exe, tasklist.exe, and netstat.exe for system reconnaissance
- fscan and SoftPerfect Network Scanner for local network reconnaissance
- ADRecon for gathering information from Active Directory
- Mimikatz, secretsdump, and ProcDump for credential harvesting
- RDP for lateral movement
- mRemoteNG, smbexec, wmiexec, PAExec, and PsExec for remote host communication
- Rclone for data transfer
The attacks culminate with the deployment of LockBit 3.0 and Babuk ransomware on compromised hosts, followed by dropping a note that urges victims to contact them on Telegram for decrypting their files.
Kaspersky stated, “Head Mare is actively expanding its set of techniques and tools. In recent attacks, they gained initial access to the target infrastructure by not only using phishing emails with exploits but also by compromising contractors. Head Mare is working with Twelve to launch attacks on state- and privately-controlled companies in Russia.”
BI.ZONE recently linked the North Korea-linked threat actor known as ScarCruft to a phishing campaign in December 2024 that delivered a malware loader responsible for deploying an unknown payload from a remote server.
The activity closely resembles another campaign dubbed SHROUDED#SLEEP that Securonix documented in October 2024 as leading to the deployment of a backdoor referred to as VeilShell in intrusions targeting Cambodia and likely other Southeast Asian countries.
Last month, BI.ZONE also detailed continued cyber attacks staged by Bloody Wolf to deliver NetSupport RAT as part of a campaign that has compromised more than 400 systems in Kazakhstan and Russia, marking a shift from STRRAT.
