Full Report
We analyze the activities of the Head Mare hacktivist group, which has been attacking Russian companies jointly with Twelve.
Analysis Summary
# Threat Actor: Head Mare & Twelve (Joint Operations)
## Attribution & Identity
The report analyzes joint activities involving two hacktivist groups: **Head Mare** and **Twelve**. Evidence suggests collaboration or tool-sharing, as Head Mare was observed using command-and-control (C2) servers exclusively linked to Twelve prior to these incidents, and Head Mare adopted tools previously associated with Twelve, such as the **CobInt** backdoor.
## Activity Summary
In September 2024, a series of attacks targeted Russian companies, indicating joint operations between Head Mare and Twelve. Head Mare has been refining its methods, combining familiar tools with new PowerShell-based utilities. These recent activities saw an evolution in initial access, moving beyond just phishing attachments to include exploitation of compromised contractors and known vulnerabilities. The attackers also utilized a new proprietary backdoor, **PhantomJitter**, starting in August 2024.
## Tactics, Techniques & Procedures
- **Initial Access (T1199, T1078):** Exploiting trusted relationships via compromised contractors with RDP access to business automation platforms. Phishing emails containing malicious attachments were also used, specifically exploiting **CVE-2023-38831 (WinRAR vulnerability)**.
- **Exploitation of Public-Facing Application (Baseline):** Exploited **CVE-2021-26855 (ProxyLogon)** on Microsoft Exchange servers to download and launch the CobInt backdoor.
- **Remote Access:** Used the **CobInt** backdoor (previously seen in Twelve’s attacks) for remote access to domain controllers, and the proprietary **PhantomJitter** backdoor for remote command execution on servers.
- **Persistence (T1543.003, T1133):** Shifted from scheduled tasks to creating new privileged local user accounts for interactive RDP access. Installed traffic tunneling tools like **Localtonet** and used **Non-Sucking Service Manager (NSSM)** to run Localtonet as a persistent Windows service.
- **Defense Evasion (T1036.005, T1070.004):** Employed Masquerading by renaming utility executables to mimic standard OS files (e.g., `rclone` as `wusa.exe`, `cloudflared` as `winuac.exe`). They also removed previously created files/services and cleared event logs.
## Targeting
- Sectors: Russian companies (general mention). Specific infrastructure targeted included business automation platform servers and domain controllers.
- Geography: Russia.
- Victims: Russian entities targeted in September 2024 attacks.
## Tools & Infrastructure
- **Malware families used:** CobInt (backdoor seen in Twelve’s attacks), PhantomJitter (proprietary backdoor). Mention of LockBit 3.0 and Babuk potentially as context for tool usage, though not explicitly linked as actor-created malware.
- **Publicly Available Tools:** mimikatz, ADRecon, secretsdump, ProcDump, Localtonet, revsocks, ngrok, cloudflared, Gost, fscan, SoftPerfect Network Scanner, mRemoteNG, PSExec, smbexec, wmiexec.
- **Infrastructure:** C2 servers exclusively linked to Twelve prior to the reported incidents. Localtonet persistence established using NSSM.
## Implications
The connection between Head Mare and Twelve indicates a potential merging or close cooperation between hacktivist factions, leading to more resilient and complex operations. The actors demonstrate adaptability by incorporating new tooling (CobInt, PhantomJitter) and evolving their initial access vectors beyond basic phishing to exploit supply chain/contractor weaknesses and unpatched legacy vulnerabilities.
## Mitigations
- Patch legacy systems, particularly Microsoft Exchange Servers, immediately (addressing vulnerabilities like ProxyLogon, CVE-2021-26855).
- Review and restrict RDP access, especially for external contractors, enforcing MFA/strong authentication policies.
- Proactively hunt for persistence mechanisms involving new local user creation via RDP access or unauthorized services configured via NSSM.
- Monitor for use of common publicly available penetration testing and hacking tools (e.g., mimikatz, ADRecon) on production servers.
- Implement strict file monitoring and integrity checks in sensitive directories (`C:\ProgramData`, `C:\Windows\System32`) to detect file masquerading.