from Joker@sh.itjust.works to cybersecurity@infosec.pub on 10 Dec 16:58
https://sh.itjust.works/post/29295083
> - Cyble Research and Intelligence Labs (CRIL) has identified a campaign associated with the infamous group Head Mare aimed at targeting Russians.
> - This campaign involves a ZIP archive containing both a malicious LNK file and an executable. The executable is cleverly disguised as an archive file to deceive users and facilitate its malicious operations.
> - The LNK file contains commands designed to extract and execute the disguised, which has been identified as PhantomCore.
> - PhantomCore is a backdoor utilized by the hacktivist group Head Mare. It has been active since 2023 and is known for consistently targeting Russia.
> - In previous attacks, GoLang-compiled PhantomCore binaries were used. However, in this campaign, the threat actor (TA) is using C+±compiled PhantomCore binaries instead.
> - TA also integrated the Boost.Beast library into PhantomCore to enable communication with the command-and-control (C&C) server.
> - PhantomCore collects the victim’s information, including the public IP address, to gain detailed insights into the target before deploying the final-stage payload or executing additional commands on the compromised system.
> - PhantomCore is known to deploy ransomware payloads such as LockBit and Babuk, inflicting significant damage on the victim’s systems.
Key takeaways
threaded - newest