Happy Tuesday all!

A hacktivist group named Head Mare is making its presence known in Russia and Belarus and Kaspersky shares the technical details they discovered. Recently the group has been abusing CVE-2023-38831 (a vulnerability in WinRAR) to gain initial access and to execute arbitrary code on the victim’s machine. Once on the machine the group uses different strains of ransomware, off the shelf toolkits (Sliver), and good ol’ Mimikatz.

As far as the techniques, well, there is one that cannot be ignored, the Registry Run key used for Persistence but what was interesting was the defense evasion techniques they showed, which they accomplished in a two-step fashion. First, they created scheduled tasks that had names that hinted they are part of legitimate operations (MicrosoftUpdateCore and MicrosoftUpdateCoree) and then had the malware that was dropped imitate legitimate software names (OneDrive.exe and VLC.exe) which were stored in the C:\ProgramData\ directory, which is a more trust-worthy directory, unlike the AppData or Users\Public directory.

As usual, read further for more interesting TTPs and stand by for the Threat Hunting Tip of the Day! Enjoy and Happy Hunting!

Head Mare: adventures of a unicorn in Russia and Belarus
https://securelist.com/head-mare-hacktivists/113555/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday