Head Mare and Twelve, two hacktivist groups, have launched joint attacks on Russian companies. Head Mare has expanded its toolkit, now using tools previously associated only with Twelve, such as the CobInt backdoor. The attackers gained initial access through phishing emails and compromised contractors. They used various tools for reconnaissance, privilege escalation, lateral movement, and data exfiltration. The final goal was file encryption using LockBit 3.0 and Babuk ransomware. Overlaps in infrastructure, tactics, and tools suggest collaboration between the two groups. The attacks primarily targeted manufacturing, government, and energy sectors in Russia. Author: AlienVault
Related Tags:
PhantomJitter
CobInt
Vasa Locker
Babyk
Babuk – S0638
LockBit 3.0
cve-2021-26855
T1021.002
babuk
Associated Indicators:
AC00DD7D54764E0389DE434F3203C2A3384D2FFCC20615F40F09C4C0646C8D3F
C3405D9C9D593D75D773C0615254E69D0362954384058EE970A3EC0944519C37
D1F7832035C3E8A73CC78AFD28CFD7F4CECE6D20
1C55B3E2C62932213A57FFB8A223FB2A52B4D170
AF7C73C47C62D70C546B62C8E1CC707841EC10E3
E930B05EFE23891D19BC354A4209BE3E
6008E6C3DEAA08FB420D5EFD469590C6
70C964B9AEAC25BC97055030A1CFB58A
C21C5DD2C7FF2E4BADBED32D35C891E6