Hacker group Rare Werewolf hijacks Russian devices to mine crypto and steal data

A cybercriminal group known as the rare werewolf leads a targeted phishing campaign against Russian companies and based on CIS, diverting devices to exploit crypto and steal sensitive data.

Kaspersky’s search revealed that the Rare Loup-Garou group, also known as “Libraire Ghouls” and “Rezet”, has always remained active to May, putting an implacable campaign that targets organizations across Russia and CEI.

The group uses phishing emails disguised as communications from legitimate organizations to deceive the victims to open malicious attachments. Once these files have been executed, attackers have remote access to the device, exfilment sensitive data (such as identification information and cryptographic wallet info), then deploy Monero (Xmr)) Cryptographic minors To use the system processing power. To avoid detection, they plan the compromised machine to wake up automatically at 1 a.m. and closed at 5 am, ensuring that their activities go unnoticed.

Kaspersky reports that the group mainly targets industrial companies, engineering schools being of particular interest. Phishing emails are written in Russian and generally contain attachments with Russian language file names and lure documents, which suggests that the main victims of the group are based in Russia or are Russian commissioners.

Kaspersky’s investigation has also revealed several areas that could be linked to the librarian Ghouls campaign, although they have low confidence in this regard. Among the areas still active at the time were users[.]Ru and disauticalization[.]Online, both hosted phishing pages. These pages, created with PHP scripts, have been designed to steal connection identification information for the Russian Mail.ru Russian messaging service.

Based on the publication of Kaspersky’s research, the Ghouls APT librarian campaign remains active, with current attacks observed last month that last month.