Two known threat activity clusters codenamed Head Mare and Twelve have likely joined forces to target Russian entities, new findings from Kaspersky reveal.
“Head Mare relied heavily on tools previously associated with Twelve. Additionally, Head Mare attacks utilized command-and-control (C2) servers exclusively linked to Twelve prior to these incidents,” the company said. “This suggests potential collaboration and joint campaigns between the two groups.”
Both Head Mare and Twelve were previously documented by Kaspersky in September 2024, with the former leveraging a now-patched vulnerability in WinRAR (CVE-2023-38831) to obtain initial access and deliver malware and in some cases, even deploy ransomware families like LockBit for Windows and Babuk for Linux (ESXi) in exchange for a ransom.
Twelve, on the other hand, has been observed staging destructive attacks, taking advantage of various publicly available tools to encrypt victims’ data and irrevocably destroy their infrastructure with a wiper to prevent recovery efforts.
Kaspersky’s latest analysis shows Head Mare’s use of two new tools, including CobInt, a backdoor used by ExCobalt and Crypt Ghouls in attacks aimed at Russian firms in the past, as well as a bespoke implant named PhantomJitter that’s installed on servers for remote command execution.
The deployment of CobInt has also been observed in attacks mounted by Twelve, with overlaps uncovered between the hacking crew and Crypt Ghouls, indicating some kind of tactical connection between different groups currently targeting Russia.
Other initial access pathways exploited by Head Mare include the abuse of other known security flaws in Microsoft Exchange Server (e.g., CVE-2021-26855 aka ProxyLogon), as well as via phishing emails bearing rogue attachments and compromising contractors’ networks to infiltrate victim infrastructure, a technique known as the trusted relationship attack.
“The attackers used ProxyLogon to execute a command to download and launch CobInt on the server,” Kaspersky said, highlighting the use of an updated persistence mechanism that eschews scheduled tasks in favor of creating new privileged local users on a business automation platform server. These accounts are then used to connect to the server via RDP to transfer and execute tools interactively.
Besides assigning the malicious payloads names that mimic benign operating system files (e.g., calc.exe or winuac.exe), the threat actors have been found to remove traces of their activity by clearing event logs and use proxy and tunneling tools like Gost and Cloudflared to conceal network traffic.
Some of the other utilities used are
- quser.exe, tasklist.exe, and netstat.exe for system reconnaissance
- fscan and SoftPerfect Network Scanner for local network reconnaissance
- ADRecon for gathering information from Active Directory
- Mimikatz, secretsdump, and ProcDump for credential harvesting
- RDP for lateral movement
- mRemoteNG, smbexec, wmiexec, PAExec, and PsExec for remote host communication
- Rclone for data transfer
The attacks culminate with the deployment of LockBit 3.0 and Babuk ransomware on compromised hosts, followed by dropping a note that urges victims to contact them on Telegram for decrypting their files.
“Head Mare is actively expanding its set of techniques and tools,” Kaspersky said. “In recent attacks, they gained initial access to the target infrastructure by not only using phishing emails with exploits but also by compromising contractors. Head Mare is working with Twelve to launch attacks on state- and privately-controlled companies in Russia.”
The development comes as BI.ZONE linked the North Korea-linked threat actor known as ScarCruft (aka APT37, Reaper, Ricochet Chollima, and Squid Werewolf) to a phishing campaign in December 2024 that delivered a malware loader responsible for deploying an unknown payload from a remote server.
The activity, the Russian company said, closely resembles another campaign dubbed SHROUDED#SLEEP that Securonix documented in October 2024 as leading to the deployment of a backdoor referred to as VeilShell in intrusions targeting Cambodia and likely other Southeast Asian countries.
Last month, BI.ZONE also detailed continued cyber attacks staged by Bloody Wolf to deliver NetSupport RAT as part of a campaign that has compromised more than 400 systems in Kazakhstan and Russia, marking a shift from STRRAT.
