Cryptojacking Group ‘Librarian Ghouls’ Hacks Hundreds of Russian Devices to Mine Cryptocurrency
Overview of the Operations
A hacker group known as the Librarian Ghouls, also referred to as Rare Werewolf, has compromised hundreds of computers across Russia in a cryptojacking campaign. This malicious operation involves the unauthorized use of these devices to mine cryptocurrency, according to a recent report from cybersecurity firm Kaspersky. The group has employed sophisticated methods to gain access to these systems, raising concerns among cybersecurity experts.
Methodology of the Attack
According to Kaspersky, the Librarian Ghouls execute their attacks primarily through malware-infested phishing emails. These emails are designed to mimic official communications, often appearing as payment orders or documents from legitimate organizations. Once a victim opens the infected email and interacts with its contents, the malware is activated, granting the attackers remote access to the device.
Once inside, the hackers disable security features like Windows Defender, ensuring they can operate undetected. They also manipulate settings on the infected device, programming it to turn on at night and shut down early morning, which aids them in mitigating detection and further maintaining their remote access. During this time, they collect detailed information about the device’s hardware capabilities, such as available RAM, CPU cores, and graphics processing units (GPUs), to optimize the cryptocurrency mining process.
Victims and Geographic Reach
Since the cryptojacking campaign began in December 2023, it has predominantly targeted employees in industrial enterprises and engineering institutions in Russia. The threat is not confined to Russian nationals alone, as Kaspersky has identified additional victims in Belarus and Kazakhstan. The phishing emails used in these attacks are composed in Russian, featuring Russian titles and documents, indicating that the intended targets primarily speak Russian.
Possible Motivations Behind the Attacks
Kaspersky suggests that the Librarian Ghouls may align with hacktivist ideologies. Hacktivists often use cyberattacks as a form of political protest or civil disobedience. Kaspersky notes that the group’s methods, particularly their reliance on legitimate third-party utilities rather than custom malware, align with the tactics frequently employed by similar groups.
A unique aspect of this cyber threat is the hackers’ preference for using existing software tools rather than creating custom binaries, which is both resource-efficient and allows for subtle integration into typical user environments.
Evolution of Tactics
Kaspersky has observed that the Librarian Ghouls are continuously refining their tactics. Their operations no longer solely focus on data theft; they also utilize remote access tools and phishing sites to compromise email accounts. This demonstrates an evolving approach to cybercrime, as the group adapts to evade cybersecurity measures and maximize their illicit gains.
Conclusion
The ongoing activity of the Librarian Ghouls highlights significant vulnerabilities in cybersecurity for both organizations and individual users, particularly in specific geographic areas. As cryptojacking becomes more prevalent, it is imperative for users to remain vigilant against phishing attempts and employ robust security measures to protect against unauthorized access and resource theft. Cybersecurity experts continue to monitor the situation closely and advise potential victims on protective strategies.