A naukri.com initiative
Securelist
3d
250
Image Credit: Securelist
Sleep with one eye open: how Librarian Ghouls steal data by night
- Librarian Ghouls, also known as “Rare Werewolf” and “Rezet”, is an APT group targeting entities in Russia and the CIS with a preference for legitimate third-party software.
- The attackers use phishing emails with password-protected archives containing malicious files disguised as official documents to infect victims.
- Upon infection, the attackers establish remote access using tools like AnyDesk and deploy an XMRig crypto miner to mine cryptocurrency.
- The attackers utilize various legitimate utilities like Blat, cuRL, and NirCmd for malicious activities, making detection challenging.
- The attackers leverage tools like Mipko Personal Monitor and WebBrowserPassView to monitor victims and steal credentials.
- Phishing campaigns by Librarian Ghouls target Russian users and industrial enterprises, with infrastructure linked to command-and-control servers downdown[.]ru and dragonfires[.]ru.
- The attackers install a crypto miner, collect data like cryptocurrency wallet credentials, and use legitimate software like AnyDesk for remote access.
- Librarian Ghouls show traits of hacktivist groups, constantly updating their implants and utilizing over 100 malicious files in their campaigns.
- The article emphasizes the importance of monitoring and sharing information on this active APT group for better protection against their evolving tactics.
- The summary covers the technical details of Librarian Ghouls' attack methods, infrastructure, victims, and indicators of compromise related to their ongoing campaigns.
Read Full Article
15 Likes
For uninterrupted reading, download the app