Cryptojacking Group Hacks Hundreds Of Devices To Mine Crypto
The Librarian Ghouls hacker group has compromised hundreds of Russian devices and used them to mine crypto in an apparent case of cryptojacking, cybersecurity firm Kaspersky says.
The hacker group, which is also known as Rare Werewolf, gains access to systems through malware-ridden phishing emails disguised as messages from legitimate organizations that appear to be official documents or payment orders, Kaspersky said in a report on Monday.
Hackers scope out device info before mining
After a computer is infected with the malware, the hackers establish a remote connection and disable security systems such as Windows Defender.
The infected device is also programmed to turn on at 1 am and shut down at 5 am, with the hackers using the time frame to further establish unauthorized remote access and steal login credentials.
“It is our assessment that the attackers use this technique to cover their tracks so that the user remains unaware that their device has been hijacked,” Kaspersky said.
They then steal login credentials and also collect information about the device’s available RAM, CPU cores and GPUs to optimally configure the crypto miner before deploying it.
While the miner is running, the hackers maintain a connection to the mining pool, sending a request every 60 seconds, according to Kaspersky. “We observe that the attackers are continuously refining their tactics, encompassing not only data exfiltration but also the deployment of remote access tools and the use of phishing sites for email account compromise,” the firm said. So far, the hacking campaign, which started in December and is ongoing, has affected hundreds of Russian users, particularly industrial enterprises and engineering schools, with additional victims reported in Belarus and Kazakhstan. The origin of the group hasn’t been established; however, Kaspersky said the phishing emails are “composed in Russian and include archives with Russian filenames, along with Russian-language decoy documents.” Related: Ukraine arrests man for breaching hosting accounts to mine crypto “This suggests that the primary targets of this campaign are likely based in Russia or speak Russian,” Kaspersky said. Kaspersky speculates that the Librarian Ghouls might be hacktivists, who use hacking as a form of civil disobedience to promote a political agenda, due to the use of techniques commonly associated with similar groups, such as reliance on legitimate, third-party utilities. “A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries,” Kaspersky said. It’s unknown how long the group has been active, but another Russian cybersecurity firm, BI. ZONE said in a Nov. 23 report that Rare Werewolf has been around since at least 2019. Magazine: Coinbase hack shows the law probably won’t protect you: Here’s why
Cryptojacking campaign ongoing since 2024
Librarian Ghouls could be hacktivists
Bitcoin (BTC) $ 108,827.00
Ethereum (ETH) $ 2,616.28
Tether (USDT) $ 0.999969
XRP (XRP) $ 2.34
BNB (BNB) $ 659.60
Solana (SOL) $ 152.94
USDC (USDC) $ 0.999858
TRON (TRX) $ 0.287206
Dogecoin (DOGE) $ 0.172144
Lido Staked Ether (STETH) $ 2,616.82
Cardano (ADA) $ 0.597656
Wrapped Bitcoin (WBTC) $ 108,735.00
Hyperliquid (HYPE) $ 39.12
Wrapped stETH (WSTETH) $ 3,154.04
Sui (SUI) $ 2.94
Bitcoin Cash (BCH) $ 505.28
Chainlink (LINK) $ 14.02
LEO Token (LEO) $ 9.01
Stellar (XLM) $ 0.267561
Avalanche (AVAX) $ 18.38
USDS (USDS) $ 0.999765
Shiba Inu (SHIB) $ 0.000012
Wrapped eETH (WEETH) $ 2,800.80
Hedera (HBAR) $ 0.165439
Toncoin (TON) $ 2.81
WETH (WETH) $ 2,617.67
Litecoin (LTC) $ 87.85
WhiteBIT Coin (WBT) $ 45.06
Binance Bridged USDT (BNB Smart Chain) (BSC-USD) $ 1.00
Monero (XMR) $ 319.63
Coinbase Wrapped BTC (CBBTC) $ 108,850.00
Polkadot (DOT) $ 3.49
Ethena USDe (USDE) $ 1.00
Bitget Token (BGB) $ 4.34
Uniswap (UNI) $ 7.86
Aave (AAVE) $ 298.03
Pepe (PEPE) $ 0.000010
Dai (DAI) $ 0.999861
Pi Network (PI) $ 0.462606
Ethena Staked USDe (SUSDE) $ 1.18
Bittensor (TAO) $ 325.58
Cronos (CRO) $ 0.094707
Aptos (APT) $ 4.52
OKB (OKB) $ 48.43
BlackRock USD Institutional Digital Liquidity Fund (BUIDL) $ 1.00
NEAR Protocol (NEAR) $ 2.25
Jito Staked SOL (JITOSOL) $ 185.81
Internet Computer (ICP) $ 4.90
Ethereum Classic (ETC) $ 17.12
Ondo (ONDO) $ 0.804029
sUSDS (SUSDS) $ 1.06
USD1 (USD1) $ 0.999682
Kaspa (KAS) $ 0.078293
Mantle (MNT) $ 0.582476
Fasttoken (FTN) $ 4.45
Cosmos Hub (ATOM) $ 4.18
Gate (GT) $ 15.96
POL (ex-MATIC) (POL) $ 0.205400
VeChain (VET) $ 0.021269
Artificial Superintelligence Alliance (FET) $ 0.673540
Official Trump (TRUMP) $ 8.74
Sky (SKY) $ 0.079921
Ethena (ENA) $ 0.265820
Arbitrum (ARB) $ 0.338969
Bonk (BONK) $ 0.000022
Render (RENDER) $ 3.23
Lombard Staked BTC (LBTC) $ 108,848.00
Filecoin (FIL) $ 2.34
Binance-Peg WETH (WETH) $ 2,614.85
Algorand (ALGO) $ 0.182898
Quant (QNT) $ 107.35
Jupiter Perpetuals Liquidity Provider Token (JLP) $ 4.53
Worldcoin (WLD) $ 0.872198
Sei (SEI) $ 0.264235
USDtb (USDTB) $ 0.999622
First Digital USD (FDUSD) $ 0.998798
Binance Staked SOL (BNSOL) $ 162.18
KuCoin (KCS) $ 11.09
USDT0 (USDT0) $ 0.999202
Jupiter (JUP) $ 0.440399
SPX6900 (SPX) $ 1.42
Kelp DAO Restaked ETH (RSETH) $ 2,743.78
Rocket Pool ETH (RETH) $ 2,983.41
NEXO (NEXO) $ 1.22
Celestia (TIA) $ 1.63
Flare (FLR) $ 0.016047
Polygon Bridged USDT (Polygon) (USDT) $ 0.999979
XDC Network (XDC) $ 0.065778
Tokenize Xchange (TKX) $ 13.13
Fartcoin (FARTCOIN) $ 1.05
Injective (INJ) $ 10.59
Stacks (STX) $ 0.658263
Binance Bridged USDC (BNB Smart Chain) (USDC) $ 0.999791
Mantle Staked Ether (METH) $ 2,802.90
StakeWise Staked ETH (OSETH) $ 2,750.12
Sonic (S) $ 0.303478
Optimism (OP) $ 0.549837
Virtuals Protocol (VIRTUAL) $ 1.47
SyrupUSDC (SYRUPUSDC) $ 1.11
PAX Gold (PAXG) $ 3,301.39
