Intensifies Attacks On Russia With PhantomCore
Essential information
- Published
- 11/12/2024 02:51
- Modified
- 11/12/2024 11:04
- Tags
- 2024-12-11 CVE-2023-38831 apt babuk backdoor boost.beast hacktivist lockbit phantomcore ransomware russia
- Related entities
- 1 vulnerabilities (cve), 31 observables, 1 intrusion sets (apt), 6 techniques (mitre), 5 malware, 7 others
Description
The Head Mare hacktivist group has escalated its campaign against Russian targets using the PhantomCore backdoor. The group employs deceptive ZIP archives containing malicious LNK files and executables disguised as archive files to deploy PhantomCore. This C++-compiled backdoor, which replaces earlier GoLang versions, incorporates the Boost.Beast library for C&C communication. PhantomCore gathers victim information and awaits further commands from the C&C server. The infection chain involves PowerShell commands to extract and execute the malware. Head Mare's campaign spans various industries and may deploy ransomware like LockBit and Babuk. The group's evolving tactics and ability to collect data and deploy additional payloads highlight the ongoing threat to Russian organizations.