Cybersecurity Analysis of the Librarian Ghouls
A cybersecurity analysis by Kaspersky has revealed a disturbing trend involving a hacker collective known as the Librarian Ghouls, also referred to as Rare Werewolf. This group has successfully infiltrated numerous devices in Russia, exploiting them to mine cryptocurrency through a tactic known as cryptojacking.
Method of Attack
The hackers gain access by deploying malware-laden phishing emails that mimic official correspondence, making it difficult for unsuspecting recipients to distinguish them from legitimate messages. This report, released by Kaspersky on Monday, outlines how the malicious actors enhance their control over infected systems.
Infection and Control Tactics
Upon infecting a system, the Librarian Ghouls establish a remote connection and take measures to nullify security features, such as Windows Defender. To further obscure their activities, they program the compromised device to power up at 1 am and shut down at 5 am, utilizing this time to siphon off login details and gather key hardware specifications, like available RAM and CPU capabilities. Kaspersky suspects this behavior is aimed at ensuring users remain oblivious to the unauthorized use of their devices.
Targeted Victims and Ongoing Operations
Their ongoing operation, which reportedly began in December and continues to this day, has predominantly targeted Russian industrial firms and engineering institutions, with reports of casualties also coming from Belarus and Kazakhstan. Kaspersky’s findings highlight that these phishing attempts are crafted in Russian, featuring files and documents also in the language, indicating that the primary audience is likely Russian-speaking individuals.
Potential Motivations and History
Kaspersky’s analysts have suggested that the Librarian Ghouls may be motivated by a hacktivist agenda, employing hacking techniques as a means of political protest. This theory is supported by their strategies, which often leverage legitimate software solutions instead of creating bespoke malicious programs, a tactic not unfamiliar among groups with activist leanings. The timeline of this group’s activity spanned at least back to 2019, according to another cybersecurity entity, BI. ZONE, which underscores the evolving nature of threats in cyberspace.
