The Librarian Ghouls APT group has covertly leveraged Russian business computers, transforming them into illicit crypto mining operations while simultaneously exfiltrating sensitive financial data and private keys.

According to research from Kaspersky, the Librarian Ghouls APT group, also identified as Rare Werewolf and Rezet, orchestrated a dual-purpose cyberattack. This sophisticated campaign covertly leverages victims’ own hardware for crypto mining while simultaneously stealing sensitive crypto wallet credentials and private keys through targeted phishing.

This cybercriminal operation reportedly gains unauthorized remote access to deploy Monero mining software on victim machines, while simultaneously extracting valuable cryptocurrency wallet credentials and private keys.

The scheme typically starts with deceptive phishing emails, which include password-protected archives designed to mimic official documents from legitimate organizations.

Upon the extraction and execution of these files by unsuspecting victims, a sophisticated infection sequence is initiated. The malware installer subsequently deploys the legitimate 4t Tray Minimizer window manager, utilizing it both to obscure its illicit activities and to establish communication with remote servers for the download of additional malicious payloads.

To maximize stealth and evade detection, the perpetrators programmed a precise schedule: compromised devices automatically activate at 1 AM and power down at 5 AM. This brief, predawn four-hour window serves as a critical period for illicit operations.

During this time, the malicious software thoroughly scans for valuable cryptocurrency data, including wallet.dat files, seed phrases, private keys, and any documents containing terms like “bitcoin” or “ethereum,” regardless of language.

Following data extraction, the compromised information is then compressed into password-protected archives and sent via SMTP to email accounts controlled by the attackers. Subsequently, the system proceeds to install XMRig crypto mining software, configured to connect to mining pools managed by the threat actors.

The illicit crypto mining operation then proceeds undetected, secretly consuming the victim’s computational power and electricity to generate Monero cryptocurrency directly for the attackers.

Throughout May, the attackers maintained continuous operations, focusing their efforts predominantly on industrial enterprises and engineering schools located across Russia and the Commonwealth of Independent States.

Michaela has no crypto positions and does not hold any crypto assets. This article is provided for informational purposes only and should not be construed as financial advice. The Shib Magazine and The Shib Daily are the official media and publications of the Shiba Inu cryptocurrency project. Readers are encouraged to conduct their own research and consult with a qualified financial adviser before making any investment decisions.

Post Views: 13