The threat actor known as Rare Werewolf (formerly Rare Wolf) has been linked to a series of cyber attacks targeting Russia and the Commonwealth of Independent States (CIS) countries.
“A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries,” Kaspersky said. “The malicious functionality of the campaign described in this article is implemented through command files and PowerShell scripts.”
The intent of the attacks is to establish remote access to compromised hosts, and siphon credentials, and deploy the XMRig cryptocurrency miner. The activity impacted hundreds of Russian users spanning industrial enterprises and engineering schools, with a smaller number of infections also recorded in Belarus and Kazakhstan.
Rare Werewolf, also known by the names Librarian Ghouls and Rezet, is the moniker assigned to an advanced persistent threat (APT) group that has a track record of striking organizations in Russia and Ukraine. It’s believed to be active at least since 2019.
According to BI.ZONE, the threat actor obtains initial access using phishing emails, leveraging the foothold to steal documents, Telegram messenger data, and drop tools like Mipko Employee Monitor, WebBrowserPassView, and Defender Control to interact with the infected system, harvest passwords, and disable antivirus software.
The latest set of attacks documented by Kaspersky reveals the use of phishing emails as a malware delivery vehicle, using password-protected archives containing executable files as a starting point to activate the infection.
Present within the archive is an installer that’s used to deploy a legitimate tool called 4t Tray Minimizer, as well as other payloads, including a decoy PDF document that mimics a payment order.
Source: The Hacker News