The cyber threat actor identified as Rare Werewolf, formerly known as Rare Wolf, has recently been linked to a series of advanced cyber attacks primarily targeting Russia and the Commonwealth of Independent States (CIS). According to a report by Kaspersky, this group emphasizes the use of legitimate third-party software instead of creating their own malicious programs, complicating detection efforts (Kaspersky).
The attacks aim to establish remote access to compromised systems, siphoning credentials and deploying the XMRig cryptocurrency miner. Affected parties include industrial enterprises and engineering schools in Russia, with some incidents also reported in Belarus and Kazakhstan.
Rare Werewolf, also known as Librarian Ghouls and Rezet, has been active since at least 2019, targeting organizations in Russia and Ukraine (Kaspersky). The group has gained notoriety for its stealthy operational methods.
Initial access to target networks is often gained through phishing emails featuring password-protected archives that trigger the infection process. The malicious payloads include tools such as Mipko Employee Monitor and Defender Control, which assist in interacting with infected systems, harvesting passwords, and disabling security measures (BI.ZONE).
Recent findings indicate that these attacks utilize the legitimate tool 4t Tray Minimizer to conceal malicious operations on the victim’s system. The adversaries also exploit AnyDesk for remote access and execute a batch script that activates PowerShell scripts to allow access during specified times, enhancing their stealth.
The emergence of these attacks comes in the wake of another cybercrime group, DarkGaboon, which has been leveraging LockBit 3.0 ransomware to target Russian entities. Investigations reveal that DarkGaboon operates independently while adopting similar techniques aimed at evading detection.
As cyber threats evolve, experts warn that leveraging legitimate software for malicious purposes can hinder countermeasures and attribution efforts for such advanced persistent threat (APT) activities.