Hundreds of users across Russian industrial enterprises and engineering schools, as well as organizations in Belarus and Kazakhstan that are part of the Commonwealth of Independent States, have been targeted by the advanced persistent threat operation Rare Werewolf in attacks involving credential theft and XMRig cryptominer compromise, The Hacker News reports.
Malicious emails with password-protected archives have been leveraged by Rare Werewolf, also known as Rezet and Librarian Ghouls, to facilitate the delivery of the 4t Tray Minimizer tool that conceals malicious activity, as well as additional payloads that retrieve other legitimate tools, according to a Kaspersky analysis. Data exfiltration and XMRig deployment have been conducted by Rare Werewolf through AnyDesk and Windows batch script exploitation. "It is a common technique to leverage third-party legitimate software for malicious purposes, which makes detecting and attributing APT activity more difficult," said Kaspersky researchers. Such findings follow a Positive Technologies report detailing the DarkGaboon hacking group's targeting of Russian organizations with the LockBit 3.0 ransomware.
Malicious emails with password-protected archives have been leveraged by Rare Werewolf, also known as Rezet and Librarian Ghouls, to facilitate the delivery of the 4t Tray Minimizer tool that conceals malicious activity, as well as additional payloads that retrieve other legitimate tools, according to a Kaspersky analysis. Data exfiltration and XMRig deployment have been conducted by Rare Werewolf through AnyDesk and Windows batch script exploitation. "It is a common technique to leverage third-party legitimate software for malicious purposes, which makes detecting and attributing APT activity more difficult," said Kaspersky researchers. Such findings follow a Positive Technologies report detailing the DarkGaboon hacking group's targeting of Russian organizations with the LockBit 3.0 ransomware.
