- Rare Werewolf hackers target Russian devices for cryptojacking and data theft.
- Malicious phishing emails pose as authentic documents.
- The crypto mining day begins at one in the morning and finishes at five.
Hundreds of Russian devices have been compromised by the well-organized hacker group Rare Werewolf, which aims to mine cryptocurrency and steal private information. The group has operated since at least 2019 and employs advanced phishing methods to infiltrate systems, often targeting industrial enterprises and engineering institutions in Russia, Belarus, and Kazakhstan. Cybersecurity experts have found that they are sneaky and misuse legitimate software to achieve malicious purposes.
Phishing Emails Fuel Rare Werewolf Attacks
The Rare Werewolf campaign begins with the phishing emails that are composed in the Russian language and camouflaged as the official messages of trusted organizations. These emails contain password-protected archives, whose executable files are disguised as business documents, such as payment orders. The files, when opened, run malware that provides the hackers with remote access to the systems of the victims.
The malware obtains unlawful control, most often with the assistance of such software as AnyDesk, which makes it possible to bypass the protection. The machines will be programmed to switch on at 1 a.m. and switch off at 5 a.m. so that operations will be secretive. Such a wake-and-sleep cycle minimizes the chances of being detected because the systems do not indicate any irregularity during working hours.
Cryptojacking and Data Theft Tactics
Once the access is achieved, Rare Werewolf hackers deploy XMRig software to mine cryptocurrency, utilizing the RAM, CPU cores, and GPUs of the device to their fullest. Concurrently, they steal log-ins and privileged operational information, mostly in industrial and academic instances. The group has the ability to evade detection, which is facilitated by the fact that they employ genuine third-party tools, such as Mipko Personal Monitor and WebBrowserPassView.
Hundreds of devices have been affected by the problem, and the attackers have gone after organizations possessing valuable intellectual property. The scale of the campaign underscores the growing threat of cryptojacking, whereby cybercriminals steal computing power to make a profit.
Detection is further complex with PowerShell scripts and batch files. These scripts construct scheduled events to manage system wake-ups and shutdowns, maintaining a low profile. Cybersecurity reports suggest that the methods employed by the group are succeeding those of hacktivists and may have a political motive to them, but their origin is unknown.
Broader Implications for Cybersecurity
Uncommon Werewolf attacks are evidence of how imperfect organizational cybersecurity is, especially when it comes to Russia and the Commonwealth of Independent States (CIS). The valuable information of the industrial and engineering fields falls under greater risk. The use of phishing, along with legitimate tools and scheduled tasks, as well as the advanced nature of the campaign, poses a problem to traditional defenses.
It is advised that organizations should strengthen security measures on their emails and monitor illegal entries. The risks can be minimized through frequent auditing of the system and by possessing updated antivirus programs.
