Goal — Engineer. Time — 01:00. Method — Phishing. Result — keys stolen and miner installed
Librarian Ghouls strike in the early hours: you wake up, and your access is already gone.
Hundreds of corporate users in Russia were subjected to overnight attacks by a hacker group. This was reported to TASS by the press service of Kaspersky Lab.
According to experts, the campaign began in December 2024. Responsibility for the attacks is attributed by researchers to a group they call Librarian Ghouls. According to the company’s observations, the attackers’ activities are recorded between 01:00 and 05:00 local time. Their primary targets are employees of industrial enterprises and technical universities.
Kaspersky Lab notes that this group is already known for complex attacks on selected targets in Russia and CIS countries. Moreover, the attackers mainly use legitimate software.
As specialists explained, the purpose of these nighttime attacks is to gain remote access to devices and intercept user credentials. Additionally, a cryptocurrency mining tool is installed on infected devices. Researchers also detected the emergence of phishing websites that mimic a popular Russian email service.
The attack begins with a phishing email containing a password-protected archive. After opening and launching it, the contents are saved in one of the computer’s folders, giving the attackers the ability to remotely control the system. The attackers also employ methods to hide the malware’s presence.
The malware activates at 01:00 and, over the next four hours, collects credentials and recovery phrases for cryptocurrency wallets. At 05:00, using the built-in task scheduler, the computer shuts down. In these four hours, the criminals manage to collect and send stolen credentials and cryptocurrency wallet seed phrases using their software.
After transmitting the stolen data to the attackers, the malware deletes all files it created during the attack, installs the miner, and finally self-destructs.