“`html

A cybercriminal group known as Rare Werewolf is conducting a targeted phishing campaign against companies in Russia and CIS countries. This group, also referred to as β€œLibrarian Ghouls” or β€œRezet,” has been actively compromising systems to mine cryptocurrency and steal sensitive data.

Rare Werewolf’s Phishing Tactics

According to recent research, Rare Werewolf employs phishing emails that mimic legitimate communications to trick victims. These emails often include malicious attachments, which, when opened, grant attackers remote access to the victim’s device. Once access is obtained, the group exfiltrates sensitive information such as login credentials and crypto wallet details. Additionally, they deploy Monero (XMR) miners to exploit the system’s processing power for cryptocurrency mining.

To avoid detection, the attackers program compromised machines to operate during specific hours. Typically, these devices are set to wake up at 1 AM and shut down at 5 AM, ensuring their activities remain hidden from users.

Targeted Sectors and Techniques

The group’s primary targets are industrial enterprises, with engineering schools also being a focus. Phishing emails are written in Russian and include attachments with Russian-language filenames and decoy documents. This indicates that their victims are predominantly based in Russia or are fluent Russian speakers.

Rare Werewolf uses phishing pages hosted on domains such as users-mail[.]ru and deauthorization[.]online. These pages are built with PHP scripts designed to steal login credentials, particularly for popular Russian email services like Mail.ru.

Key Indicators of Phishing Campaigns

  • Emails that appear to be from legitimate organizations but contain unexpected attachments.
  • Attachments with generic or suspicious filenames, especially in the recipient’s native language.
  • Links directing users to unfamiliar domains asking for login credentials.

Monero Mining and Stealth Strategies

The group’s choice of Monero (XMR) as their cryptocurrency of focus is notable. Monero is often favored by malicious actors due to its strong privacy features. The attackers leverage compromised devices to mine Monero, taking advantage of unsuspecting victims’ processing power. By scheduling mining activities during off-hours, they minimize the likelihood of detection.

How to Protect Yourself

To safeguard against such phishing campaigns, consider the following tips:

  • Be cautious with email attachments: Avoid opening attachments from unknown or unverified sources.
  • Verify the sender: Double-check email addresses for inconsistencies or suspicious domains.
  • Use strong security measures: Implement two-factor authentication (2FA) and maintain updated antivirus software.
  • Monitor device activity: Check for unusual behavior, such as unexpected wake-up times or performance issues.
  • Inspect URLs: Avoid clicking on links that redirect to unfamiliar or unsecured websites.

Ongoing Threats

As of the latest reports, the Rare Werewolf campaign remains active and continues to pose a significant threat to organizations in the region. Their focus on industrial enterprises and engineering schools highlights the importance of maintaining robust cybersecurity measures, particularly for high-value targets.

Staying vigilant and adopting proactive security strategies can help individuals and organizations protect themselves against these evolving threats.

“`

Post Views: 7