According to cybersecurity company Kaspersky, hundreds of Russian laptops were infiltrated by the Librarian Ghouls hacking gang, who then exploited them to mine cryptocurrency in what appears to be an example of cryptojacking.
According to a report released by Kaspersky on Monday, the hacker collective, also known as Rare Werewolf, obtains access to networks by means of malware-infected phishing emails that pose as correspondence from reputable companies and seem like official documents or payment orders.
Before mining, hackers look over device details
The hackers connect remotely and turn off security programs like Windows Defender once a PC has been infected with the malware. Additionally, the compromised gadget is set up to turn on at 1 am and shut off at 5 am. The hackers use this time frame to expand their illegal remote access and collect login information.
According to Kaspersky, the attackers employ this tactic to hide their activities so the victim is not aware that their device has been compromised. In order to best setup the crypto miner before deploying it, they then steal login credentials and gather data on the device’s available RAM, CPU cores, and GPUs.
According to Kaspersky, the hackers stay connected to the mining pool while the miner is operating, submitting a request every 60 seconds.
According to the company, they see that the attackers are constantly improving their strategies, which include not just data exfiltration but also the exploitation of phishing websites to compromise email accounts and the deployment of remote access tools.
A campaign of cryptojacking has been going on since 2024
Hundreds of Russian users have been impacted by the ongoing hacking campaign, which began in December and is primarily affecting technical colleges and industrial firms. Other victims have been identified in Belarus and Kazakhstan.
Although the group’s origin has not been determined, Kaspersky claimed that the phishing emails are “written in Russian and contain Russian-language decoy documents and archives with Russian filenames.”
According to Kaspersky, this implies that the campaign’s main targets are either Russian-speaking or based in Russia.
Librarian Ghouls could be hacktivists
The Librarian Ghouls may be hacktivists, who use hacking as a form of civil disobedience to forward a political objective, according to Kaspersky, because they employ tactics frequently used by groups of a similar kind, like relying on valid third-party software.
According to Kaspersky, one unique aspect of this threat is that the attackers prefer to use trustworthy third-party software rather than creating their own malicious files. The group’s duration of operation is uncertain, however in a study published on Nov. 23, BI. ZONE, another Russian cybersecurity company, stated that Rare Werewolf has existed since at least 2019.
