In September 2024, coordinated cyberattacks targeted several Russian firms, marking a significant shift in operational tactics linked to two notorious hacktivist groups: Head Mare and Twelve. Analysis indicates that Head Mare has adopted tools previously associated with Twelve, including command-and-control (C2) servers exclusive to Twelve, suggesting a collaborative approach in their hacking campaigns.

This report delves into the tactics, techniques, and procedures (TTPs) utilized by Head Mare during these attacks, examining their evolution and the overlapping methodologies with Twelve.

Comprehensive Toolkit of Head Mare

Head Mare utilizes a diverse set of tools, ranging from publicly available software to leaked proprietary tools, for their attacks. Notable instruments include:

• mimikatz
• ADRecon
• secretsdump
• ProcDump
• Localtonet
• Cloudflare tools (like cloudflared)
• Ransomware variants such as LockBit 3.0 and Babuk

A remarkable addition is the CobInt backdoor, used for remote access to domain controllers, first seen in Twelve’s attacks, which hints at potential tool sharing between the two groups.

Evolution of Initial Access Strategies

Head Mare has refined its initial access tactics, shifting from traditional phishing emails to compromising contractors who have legitimate access to business automation platforms and remote desktop protocol (RDP) connections. This aligns with known tactics of exploiting trusted relationships (T1199 – Valid Accounts).

The group exploits software vulnerabilities, such as CVE-2023-38831 in WinRAR and CVE-2021-26855 (ProxyLogon), due to many organizations running outdated systems. Their use of ProxyLogon to execute commands to download and run CobInt demonstrates their adaptive approach in leveraging known vulnerabilities effectively.

Persistence and Anti-Detection Techniques

To maintain persistence, Head Mare creates privileged local user accounts instead of relying on scheduled tasks. They utilize tools like Localtonet, combined with the Non-Sucking Service Manager (NSSM), to run their tools as Windows services, enabling continuous access to compromised hosts.

Head Mare employs sophisticated anti-detection methods, including file masquerading (T1655). Executables are renamed to resemble legitimate system files, obscuring malicious activities from system monitoring tools. For example:

• Cloud storage sync tool misnamed as wusa.exe
• Malware named calc.exe residing in system directories

Such tactics complicate detection efforts and highlight the urgency for enhanced security measures.

Command and Control Dynamics

After infiltrating the business automation platform server, the attackers downloaded various backdoors, notably PhantomJitter, from specific URLs that connect back to their C2 servers. The connection to 360nvidia.com, indicative of shared infrastructure, emphasizes the intertwining operations of these groups.

Head Mare executed a custom PowerShell script, proxy.ps1, to facilitate the installation and configuration of tunneling tools to obscure their communications, further exhibiting their strategic prowess.

Conclusion: The Collective Threat of Head Mare and Twelve

The collaboration between Head Mare and Twelve poses a formidable threat to organizations, particularly in high-sensitivity sectors such as government and energy. Their evolving tactics necessitate continuous vigilance and adaptation by security professionals.

Organizations are urged to enhance their defenses through updated training, real-time monitoring, and by employing advanced threat detection solutions to mitigate the risks posed by these evolving cyber threats.

Indicators of Compromise

Hashes:

• 6008E6C3DEAA08FB420D5EFD469590C6 – ADRecon.ps1
• 09BCFE1CCF2E199A92281AADE0F01CAF – calc.exe, c.exe
• 70C964B9AEAC25BC97055030A1CFB58A – locker.exe
• 87EECDCF34466A5945B475342ED6BCF2 – mcdrive.vbs
• E930B05EFE23891D19BC354A4209BE3E – mimikatz.exe
• C21C5DD2C7FF2E4BADBED32D35C891E6 – proxy.ps1
• 96EC8798BBA011D5BE952E0E6398795D – secretsdump.exe, secretsdump (1).exe
• D6B07E541563354DF9E57FC78014A1DC – update.exe

Notable IP Addresses:

• 360nvidia.com
• web-telegram.uk
• 45.156.27.115
• 45.156.21.148
• 185.229.9.27
• 45.87.246.34
• 185.158.248.107
• 64.7.198.109