Full Report
Two known threat activity clusters codenamed Head Mare and Twelve have likely joined forces to target Russian entities, new findings from Kaspersky reveal. "Head Mare relied heavily on tools previously associated with Twelve. Additionally, Head Mare attacks utilized command-and-control (C2) servers exclusively linked to Twelve prior to these incidents," the company said. "This suggests
Analysis Summary
# Threat Actor: Head Mare and Twelve (Collaboration)
## Attribution & Identity
The two threat activity clusters, **Head Mare** and **Twelve**, have shown evidence of collaboration and potential joint campaigns. Head Mare previously relied on tools and C2 infrastructure exclusively linked to Twelve. There are also uncovered overlaps between Twelve and the previously active threat group **Crypt Ghouls**, suggesting a tactical connection across multiple groups targeting Russia.
## Activity Summary
The core of the new finding is the observed **collaboration between Head Mare and Twelve** in attacks targeting Russian entities.
* **Head Mare** was previously documented leveraging the WinRAR vulnerability **CVE-2023-38831** for initial access to deliver malware and ransomware (LockBit for Windows, Babuk for Linux/ESXi).
* **Twelve** has been documented staging destructive attacks, using publicly available tools to encrypt data and deploy wipers to ensure irreversible infrastructure destruction.
* The groups are now jointly launching attacks against state- and privately-controlled companies in Russia.
* Head Mare is actively expanding its techniques, including gaining access via compromising contractors (trusted relationships).
## Tactics, Techniques & Procedures
- **Initial Access:** Exploitation of **CVE-2023-38831** (WinRAR), **CVE-2021-26855 (ProxyLogon)** on Microsoft Exchange Server, phishing emails with malicious attachments, and compromising contractors' networks (trusted relationship attacks).
- **Persistence/Execution:** Executing commands via ProxyLogon to download and launch CobInt. They employ an updated persistence mechanism that **creates new privileged local users** on a business automation platform server, bypassing scheduled tasks, and then using RDP to connect for interactive execution.
- **Evasion:** Renaming malicious payloads to mimic benign OS files (e.g., `calc.exe`, `winuac.exe`). **Clearing event logs** to remove traces of activity. Using proxy/tunneling tools like Gost and Cloudflared to conceal network traffic.
- **Reconnaissance:** Using built-in tools like `quser.exe`, `tasklist.exe`, `netstat.exe`, along with `fscan` and SoftPerfect Network Scanner for network discovery, and **ADRecon** for Active Directory enumeration.
- **Credential Access:** Utilizing **Mimikatz**, `secretsdump`, and `ProcDump`.
- **Lateral Movement & Execution:** Using **RDP**, **mRemoteNG**, `smbexec`, `wmiexec`, `PAExec`, and `PsExec`.
- **Exfiltration:** Using **Rclone** for data transfer.
- **Impact:** Deployment of **LockBit 3.0** and **Babuk (for ESXi)** ransomware, followed by instructions to victims to contact them via Telegram for decryption keys.
## Targeting
- **Sectors:** State-controlled companies and privately-controlled companies.
- **Geography:** Russia.
- **Victims:** Not specifically named beyond organizational types and sectors within Russia.
## Tools & Infrastructure
- **Malware Families Used:**
* **CobInt:** A backdoor previously used by ExCobalt and Crypt Ghouls.
* **PhantomJitter:** A bespoke implant installed on servers for remote command execution.
* **LockBit 3.0** (Ransomware)
* **Babuk** (Ransomware for Linux/ESXi)
- **Infrastructure:** C2 servers exclusively linked to **Twelve** prior to the collaboration.
- **Other Tools:** Gost, Cloudflared (proxy/tunneling); various legitimate system utilities used maliciously (e.g., `tasklist.exe`, `netstat.exe`); scanner utilities (`fscan`, SoftPerfect Network Scanner); credential harvesting tools (`Mimikatz`, `secretsdump`).
## Implications
The collaboration between Head Mare and Twelve signals an **escalation in capability and intent** targeting entities within Russia, potentially leveraging diverse initial access vectors (vulnerability exploitation, phishing, supply chain compromise) to achieve destructive outcomes, including ransomware deployment and irreversible infrastructure wiping. The observed adoption of tools from other known threat actors (like CobInt) suggests a dynamic and potentially resource-sharing ecosystem among groups targeting the same geopolitical region.
## Mitigations
- **Patch Management:** Immediately address vulnerabilities like **CVE-2023-38831 (WinRAR)** and **CVE-2021-26855 (ProxyLogon)**.
- **Supply Chain Security:** Implement stringent vetting and monitoring processes for contractors accessing internal infrastructure to mitigate trusted relationship attacks.
- **Monitoring & Detection:** Monitor for the use of unusual persistence mechanisms, specifically the creation of new privileged local user accounts for RDP access, deviating from traditional scheduled task persistence.
- **Endpoint Protection:** Deploy EDR solutions capable of detecting behavior associated with known credential harvesting tools (Mimikatz, secretsdump) and file-wiping activity.
- **Network Analysis:** Implement rules to detect traffic patterns unusual for endpoint communication, especially utilizing proxy/tunneling tools like Gost or Cloudflared.
- **Incident Response:** Prepare specific response playbooks for ransomware deployment (LockBit 3.0, Babuk) that include offline backups and secure recovery procedures, given the threat actor's intent for irreversible destruction.