Kaspersky suspects that the Librarian Ghouls hacker group, which compromises devices to mine crypto, could be hacktivists based on the way they carry out hacks.
The Cybersecurity firm Kaspersky reportedly mentioned that the Librarian Ghouls hacker group, aka “Rare Werewolf” and “Rezet,” was carrying out its illicit activities on Russian devices was using legitimate organization names— a strategy that other hacktivist groups commonly use.
“The group’s primary initial infection vector involves targeted phishing emails that contain password-protected archives with executable files inside. These malicious emails are typically disguised as messages from legitimate organizations, containing attachments that appear to be official documents. The infection process is as follows: the victim opens the attached archive (the password is usually provided in the email body), extracts the files inside, and opens them,” reads Kaspersky’s Securelist website.
The malware is programmed in such a way that it switches on the infected device at 1 AM and switches off at 5 AM, so that the user is unaware that the device has been infected. During this period, the bad actors steal credentials, establish remote access.
Kaspersky stated, “We found no evidence of msedge.exe [main executable file for Microsoft Edge] being replaced or compromised, leading us to believe it is a genuine Microsoft Edge executable. This daily browser activation wakes the victim’s computer, giving attackers a four-hour window to establish unauthorized remote access with AnyDesk before the scheduled task shuts the machine down at 5 AM.”
Once the hackers get access to the device, they collect and analyse the information about available CPU cores, available RAM, and GPU, and thereafter optimally use it for crypto mining, while they maintain a connection with the mining pool.
