New investigations reveal that a cybercriminal collective, dubbed Rare Werewolf, is clandestinely commandeering computer systems across Russia and nearby nations to secretly generate cryptocurrency.
Cybersecurity specialists at the Russian firm Kaspersky have uncovered that these digital offenders are utilizing XMRig software, a genuine program designed for cryptocurrency mining, on compromised devices. The malicious operations have impacted hundreds of computer users located in Russia, specifically targeting industrial businesses and institutions of higher learning related to engineering; incidents have also been noted in Belarus and Kazakhstan.
According to Kaspersky’s findings, the initial point of entry for these attacks comes through phishing emails crafted in the Russian language. These emails feature password-protected compressed files that harbor detrimental executable programs. The emails are cleverly disguised as communications from credible organizations, designed to resemble official documents or even payment notifications.
Once inside a system, the perpetrators proceed to pilfer account login details and then deploy the XMRig software, leveraging the computing resources of their victims to mine digital currencies. To evade detection and maintain persistence within compromised systems, the group has implemented an innovative routine: infected machines are programmed to automatically shut down at 5:00 AM each day. Leading up to the shutdown, a script initiates Microsoft Edge at 1:00 AM, with the express intent of reactivating the computer, thereby granting the hackers a four-hour time frame to establish remote access and maintain control.
Research showed that the cyber attackers extract critical data about the amount of processing cores and graphics processors, which they need to optimize the process of the crypto miner, and this important data is directed to their management servers.
Previous investigations indicate that Rare Werewolf has been active since at least 2019. The group commonly depends on trusted external software instead of generating malicious tools to accomplish their criminal schemes. The actual source of the group remains currently undetermined.
Kaspersky detailed that this present illicit campaign began in December of 2024 and was ongoing as of the last reporting period, with the individuals conducting the intrusions consistently refining their techniques. Going beyond cryptocurrency mining, the group has targeted sensitive documents, login credentials, and compromise Telegram accounts, in earlier campaigns.
According to Kaspersky, the organization’s tactics, such as using self-extracting zip files combined with third-party programs, match those commonly linked to groups with hacktivist motivation.
XMRig has been widely misused by cybercriminals, who are constantly developing innovative strategies to infiltrate the installer onto the computer systems of unassuming victims. In prior instances, aimed at businesses in Russia, hackers have distributed this program through malicious, unverified copies of well-known games.
Recorded Future
Intelligence Cloud.