Rare Werewolf Hackers Mine Monero on 100s of Russian Devices

A sophisticated cybercriminal operation, known as Rare Werewolf, has targeted hundreds of devices across Russian industrial enterprises, engineering schools, and various organizations. The group, also referred to as Librarian Ghouls, has been deploying the XMRig software—a legitimate tool for mining cryptocurrency—on victims' devices to mine Monero, a popular cryptocurrency. The hackers have been using malicious emails with password-protected archives to deliver the 4t Tray Minimizer tool, which conceals malicious activity and retrieves additional payloads. These payloads include legitimate tools that facilitate data exfiltration and the deployment of the XMRig cryptominer through AnyDesk and Windows batch script exploitation.

The hackers' method involves leveraging third-party legitimate software for malicious purposes, making it more challenging to detect and attribute the advanced persistent threat (APT) activity. This technique is a common strategy among cybercriminals to evade detection and attribution. The group has been targeting users across Russia, as well as organizations in Belarus and Kazakhstan. The hackers have been using fake emails to install malware and take control of computers for crypto mining, transforming legitimate business computers into covert cryptocurrency mining operations.

The Rare Werewolf hackers have been conducting a targeted phishing campaign against companies, hijacking devices to mine cryptocurrency. The group has been using a variety of tactics to compromise hundreds of devices, including the use of malicious emails and the deployment of legitimate tools for malicious purposes. The hackers have been using the XMRig software to mine Monero, a popular cryptocurrency, on victims' devices. The group has been targeting users across Russia, as well as organizations in Belarus and Kazakhstan. The hackers have been using fake emails to install malware and take control of computers for crypto mining, transforming legitimate business computers into covert cryptocurrency mining operations.

The Rare Werewolf campaign begins with phishing emails composed in the Russian language and camouflaged as official messages from trusted organizations. These emails contain password-protected archives, whose executable files are disguised as business documents, such as payment orders. The files, when opened, run malware that provides the hackers with remote access to the systems of the victims. The malware obtains unlawful control, most often with the assistance of such software as AnyDesk, which makes it possible to bypass the protection. The machines will be programmed to switch on at 1 a.m. and switch off at 5 a.m. so that operations will be secretive. Such a wake-and-sleep cycle minimizes the chances of being detected because the systems do not indicate any irregularity during working hours.

Once the access is achieved, Rare Werewolf hackers deploy XMRig software to mine cryptocurrency, utilizing the RAM, CPU cores, and GPUs of the device to their fullest. Concurrently, they steal log-ins and privileged operational information, mostly in industrial and academic instances. The group has the ability to evade detection, which is facilitated by the fact that they employ genuine third-party tools, such as Mipko Personal Monitor and WebBrowserPassView. Hundreds of devices have been affected by the problem, and the attackers have gone after organizations possessing valuable intellectual property. The scale of the campaign underscores the growing threat of cryptojacking, whereby cybercriminals steal computing power to make a profit.

Detection is further complex with PowerShell scripts and batch files. These scripts construct scheduled events to manage system wake-ups and shutdowns, maintaining a low profile. Cybersecurity reports suggest that the methods employed by the group are succeeding those of hacktivists and may have a political motive to them, but their origin is unknown. Uncommon Werewolf attacks are evidence of how imperfect organizational cybersecurity is, especially when it comes to Russia and the Commonwealth of Independent States (CIS). The valuable information of the industrial and engineering fields falls under greater risk. The use of phishing, along with legitimate tools and scheduled tasks, as well as the advanced nature of the campaign, poses a problem to traditional defenses.

It is advised that organizations should strengthen security measures on their emails and monitor illegal entries. The risks can be minimized through frequent auditing of the system and by possessing updated antivirus programs.