Cybercriminal collective Rare Werewolf seizes control over Russian electronics for cryptocurrency mining and data theft activities.

Cybercriminal collective Rare Werewolf seizes control over Russian electronics for cryptocurrency mining and data theft activities.

Grifters in the Shadows: The Dirty Dealings of Rare Werewolf

In the murky world of cybercrime, a shadowy group known as Rare Werewolf, also going by the names "Librarian Ghouls" and "Rezet," is wreaking havoc. This notorious gang has been unleashing a series of targeted phishing attacks on Russian and CIS-based companies since May, stealing sensitive data and hijacking devices to mine cryptocurrency.

According to Kaspersky's research, these cunning cybercriminals resort to disguising their phishing emails as communication from legitimate organizations to trick victims into opening malicious attachments. Once these files are executed, the attackers take control of the device, exfiltrate sensitive data, including crypto wallet information, and deploy a Monero crypto miner to exploit the system's processing power. To evade detection, they cleverly schedule the compromised machine to wake up at 1 AM and shut down at 5 AM.

Kaspersky's investigations reveal that the group primarily sets its sights on industrial enterprises and engineering schools. The phishing emails are primarily written in Russian, complete with Russian-language filenames and decoy documents, suggesting that their primary victims hail from Russia or are Russian speakers.

In their investigation, Kaspersky also uncovered several domains potentially linked to the Librarian Ghouls campaign, such as users-mail[.]ru and deauthorization[.]online, which hosted phishing pages designed to steal login credentials for the popular Russian e-mail service Mail.ru.

Despite Kaspersky's efforts to expose their malicious activities, the Librarian Ghouls APT campaign remains active, with ongoing attacks reported as recently as last month.

Phishing Attacks: A Common Tactic

Hackers have been exploiting an older version of the HTTP File Server to install Monero miners on unsuspecting victims' devices. This method, although outdated, proves that cybercriminals will stop at nothing to infiltrate systems and illicitly mine cryptocurrency.

In the end, it's crucial for individuals and companies to stay vigilant against such threats by educating themselves about the latest phishing tactics and ensuring they have robust security measures in place. But, as long as there's a profit to be made, groups like Rare Werewolf will continue to lurk in the shadows, waiting for their next mark.

Enrichment Data:

Overall:

The Notorious Acts of Rare Werewolf (Librarian Ghouls, Rezet) APT Group

Rare Werewolf, alias Librarian Ghouls and Rezet, is a cybercrime group infamous for conducting targeted phishing attacks against Russian and CIS-based companies. Here's a rundown of their nefarious actions:

Current Strategy

• Phishing Emails: They use phishing emails to trick victims, often impersonating legitimate organizations [2][3].
• Malware Distribution: Once a victim falls for the phishing attempt, they distribute malware that can deploy Monero miners and steal sensitive information [1][5].
• Stealth Tactics: To bypass notice, they configure compromised machines to turn on at 1 AM and turn off at 5 AM [1].

Targeted Industries

• Industrial Enterprises: They prefer attacking industrial enterprises to steal sensitive data and deploy Monero miners [5].
• Engineering Schools: Similar techniques are used against engineering schools [1][5].

Tools and Techniques

• Password-Protected Archives: They use password-protected archives to distribute their payloads [5].
• Command Files and PowerShell Scripts: While they prefer using legitimate third-party software, they also employ command files and PowerShell scripts for malicious purposes [1][2].
• AnyDesk and Batch Scripts: They exploit AnyDesk and Windows batch scripts to gain remote access and exfiltrate data [5].

Exploited Software

• Mipko Employee Monitor: This software allows them to monitor and steal documents and documents from compromised systems [1].
• WebBrowserPassView: They use this tool to steal browser-stored passwords [1].
• Defender Control: They employ Defender Control to disable antivirus software on compromised systems [1].

In essence, Rare Werewolf's strategy involves sending phishing emails with malware attachments to gain access to victims' systems. Once inside, they use legitimate third-party software for malicious purposes, including deploying Monero miners and stealing sensitive information. Their targets include industrial and educational institutions across Russia and the CIS.

1. The Rare Werewolf APT group, also known as Librarian Ghouls and Rezet, has been stealing sensitive data and mining cryptocurrency by conducting targeted phishing attacks using malware, disguising their emails as communication from legitimate organizations.
2. To evade detection, Rare Werewolf schedules compromised machines to wake up at 1 AM and shut down at 5 AM, allowing them to mine Monero undetected.
3. Rare Werewolf primarily sets their sights on industrial enterprises and engineering schools, sending phishing emails primarily written in Russian to target victims.
4. As part of their nefarious activities, Rare Werewolf has been found to use password-protected archives, command files, PowerShell scripts, AnyDesk, and Windows batch scripts to gain remote access, exfiltrate data, and deploy Monero miners. They also exploit software like Mipko Employee Monitor, WebBrowserPassView, and Defender Control.

Read also: