Dangerous Librarian Ghouls Attack Russian Users with Crypto Mining Malware
The world of cryptocurrency is constantly evolving, and unfortunately, so are the threats. Cybersecurity firm Kaspersky has revealed a concerning trend: a hacker group known as the Librarian Ghouls is actively targeting individuals and organizations, primarily Russian users, to hijack their devices for illicit crypto mining. This type of attack, known as cryptojacking, allows bad actors to steal valuable computing power without the victim’s knowledge.
Who Are the Librarian Ghouls and What is Cryptojacking?
According to a report from Kaspersky, the Librarian Ghouls, also referred to as Rare Werewolf, are behind a campaign that has compromised hundreds of devices. Their primary goal appears to be crypto mining using the resources of infected computers.
Cryptojacking is a type of cybercrime where a hacker secretly uses a victim’s computing power to mine cryptocurrency. Instead of investing in expensive mining hardware, attackers leverage compromised devices, essentially stealing electricity and processing power from unsuspecting users. This can lead to significant performance issues, increased energy bills, and wear and tear on the victim’s hardware.
How Do These Crypto Mining Attacks Happen?
The Librarian Ghouls employ classic, yet effective, methods to gain access. Their attack vector primarily involves malware delivered through phishing emails. These emails are carefully crafted to look legitimate, often disguised as official documents or payment orders from trusted organizations.
Once a device is infected, the hackers take several steps:
- They establish a remote connection to the compromised system.
- Security systems, such as Windows Defender, are often disabled to prevent detection.
- The malware is programmed to activate and run the miner during specific off-hours, typically from 1 am to 5 am, to avoid detection by the user.
- During this time, they steal login credentials and gather system information (RAM, CPU cores, GPUs) to optimize the crypto mining process.
- The miner is then deployed, maintaining a connection to a mining pool and sending regular requests.
This scheduled activity helps the attackers cover their tracks, ensuring the user remains unaware that their device has been hijacked for crypto mining.
Which Russian Users Are Being Targeted?
The campaign, which began in December and is still active, has affected hundreds of victims. While the origin of the group is unknown, the targeting is quite specific. Kaspersky notes that the phishing emails and attached documents are composed in Russian, strongly suggesting that the primary targets are based in Russia or are Russian speakers.
Specific sectors targeted include:
- Industrial enterprises
- Engineering schools
Additional victims have also been reported in Belarus and Kazakhstan, regions with close ties to Russia.
Could Librarian Ghouls Be Hacktivists? Insights from Kaspersky
One interesting aspect highlighted by Kaspersky is the potential motivation behind the Librarian Ghouls. While financial gain through crypto mining is a clear driver, Kaspersky speculates they might also be hacktivists.
Hacktivists use hacking to promote a political or social agenda. Kaspersky’s assessment is based on the group’s reliance on legitimate, third-party utilities rather than developing their own malicious software. This technique is commonly associated with hacktivist groups, who often repurpose existing tools for their campaigns.
Whether purely for profit or driven by a political motive, the impact on the targeted Russian users remains the same: compromised systems and stolen resources for illicit gain.
Protecting Against Cryptojacking Threats
This ongoing campaign by the Librarian Ghouls underscores the importance of cybersecurity vigilance, especially for individuals and organizations in the targeted regions.
Here are some key takeaways:
- Be extremely cautious with emails, especially those containing attachments or requesting login information, even if they appear to be from legitimate sources.
- Ensure your operating system and security software (like antivirus) are kept up-to-date.
- Use strong, unique passwords and consider enabling multi-factor authentication where possible.
- Monitor your system’s performance for unexplained slowdowns, which could be a sign of unauthorized activity like crypto mining.
Security firms like Kaspersky continue to monitor these evolving threats, but user awareness and proactive security measures are the first line of defense against groups like the Librarian Ghouls and their cryptojacking efforts.
Summary
The Librarian Ghouls represent a persistent cyber threat, leveraging phishing attacks to compromise systems and exploit them for crypto mining. Their focus on Russian users, particularly in industrial and educational sectors, highlights a specific targeting strategy. While their potential motivation as hacktivists is being considered by experts like Kaspersky, the tangible impact is the unauthorized use of computing resources for financial gain. Staying informed about their tactics and implementing robust security practices are essential steps in mitigating the risk posed by this dangerous group.
