The group known as Rare Werewolf, previously Rare Wolf, has been identified as the culprit behind a string of cyber attacks targeting Russia and CIS countries.
Kaspersky noted that the attackers prefer using legitimate third-party software instead of creating their own malicious binaries. The attacks involve command files and PowerShell scripts to carry out malicious activities.
The primary goal of these attacks is to gain remote access to compromised systems, steal credentials, and deploy the XMRig cryptocurrency miner. The impact was felt by numerous Russian users in industrial sectors and educational institutions, with some infections also reported in Belarus and Kazakhstan.
Rare Werewolf, also known as Librarian Ghouls and Rezet, is an APT group with a history of targeting organizations in Russia and Ukraine. The group has been active since at least 2019.
The latest findings by Kaspersky reveal that phishing emails are used as a means to deliver malware, with password-protected archives containing executable files to initiate the infection process.
These archives include an installer for a legitimate tool called 4t Tray Minimizer and other payloads like a decoy PDF document posing as a payment order.
The attackers employ various tools such as Defender Control, Blat, and AnyDesk to steal data, disable antivirus software, and execute the cryptocurrency miner.
One notable aspect is a batch script that triggers a PowerShell script to wake up the victim’s system at 1 a.m., allowing remote access via AnyDesk for a four-hour window before shutting down at 5 a.m.
Kaspersky highlighted the challenge of detecting APT activity due to the use of legitimate software for malicious purposes.
Positive Technologies recently uncovered DarkGaboon, a financially motivated cybercrime group using LockBit 3.0 ransomware to target Russian entities. The group has been operational since May 2023 and employs phishing emails to deliver malware.
DarkGaboon’s tactics include dropping trojans like XWorm and Revenge RAT to blend in with other cybercriminal activities and complicate attribution efforts.
Stay updated with more exclusive content by following us on Twitter and LinkedIn.
