Threat Research

Sleep with one eye open: how Librarian Ghouls steal data by night

SecureList
Sleep with one eye open: how Librarian Ghouls steal data by night
EXTRACT IOC
Librarian Ghouls, an APT group targeting Russian and CIS entities, employs legitimate third-party software and scripting rather than custom malware for its attacks, focusing on credential theft and deploying a crypto miner. Their ongoing campaign features phishing emails, remote access tools, and complex infection stages, with hundreds of victims primarily in Russia and neighboring countries. #LibrarianGhouls #RareWerewolf #Rezet #XMRig #AnyDesk

Keypoints

  • Librarian Ghouls targets Russian and CIS organizations mainly via phishing emails containing password-protected archives with malicious executables disguised as legitimate documents.
  • The attackers leverage legitimate third-party software such as AnyDesk, Blat, curl, Defender Control, and 4t Tray Minimizer to perform remote access, data exfiltration, and security evasion.
  • The infection includes PowerShell scripts and command files that disable Windows Defender, configure power settings, and establish scheduled tasks for stealth operations.
  • The group steals cryptocurrency wallet credentials, registry hives, and other sensitive information before deploying the XMRig crypto miner controlled via custom bmcontrol.exe software.
  • The campaign includes phishing domains designed to harvest mail.ru credentials, with infrastructure servers permitting directory listing, aiding analysis.
  • Victims primarily include Russian industrial enterprises and educational institutions, with attacks also reported in Belarus and Kazakhstan.
  • Librarian Ghouls continually updates implant configurations and tools while relying on legitimate utilities, complicating detection and attribution.

MITRE Techniques

  • [T1566.001] Phishing – Initial infection vector using targeted phishing emails with password-protected archives (“targeted phishing emails that contain password-protected archives with executable files inside”).
  • [T1204] User Execution – Victims opening malicious attachments disguised as official documents (“victim opens the attached archive … and opens them”).
  • [T1047] Windows Management Instrumentation – Use of PowerShell scripts to execute malicious tasks (“batch file executes the wol.ps1 script via PowerShell”).
  • [T1218] Signed Binary Proxy Execution – Use of legitimate utilities such as curl and Blat for downloading files and exfiltrating data (“The script uses curl to download files … uses Blat to send data”).
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Installation of 4t Tray Minimizer to maintain persistence (“install the legitimate window manager, 4t Tray Minimizer”).
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Execution of batch files and command files during infection (“generates and executes a rezet.cmd command file”).
  • [T1027] Obfuscated Files or Information – Use of password-protected archives and renaming files to obscure malicious activity (“archive with password-protected files”, “files renamed into data.cab, installer.config and runtime.cab”).
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Use of Defender Control to disable Windows Defender (“uses Defender Control (dc.exe) to disable Windows Defender”).
  • [T1043] Commonly Used Port – Use of SMTP via Blat utility to exfiltrate data (“send data they steal to an email server they control”).
  • [T1132] Data Encoding – Packaging stolen data into password-protected archives before exfiltration (“driver.exe to pack data it has collected into two separate password-protected archives”).
  • [T1496] Resource Hijacking – Deployment of XMRig crypto miner to hijack victim system resources for mining (“deploy an XMRig crypto miner in the system”).
  • [T1053.003] Scheduled Task/Job: Scheduled Task – Creation of scheduled tasks to run malicious activities like waking the machine and automated shutdown (“Register-ScheduledTask … ‘WakeUpAndLaunchEdge’ … schtasks /create /tn ‘ShutdownAt5AM'”).

Indicators of Compromise

  • [File Hash] Malicious implants and components – d8edd46220059541ff397f74bfd271336dda702c6b1869e8a081c71f595a9e682f3d67740bb7587ff70cc7319e9fe5c517c0e55345bf53e01b3019e415ff098bde998, e880a1bb0e7d422b78a54b35b3f53e348ab27425f1c561db120c0411da5c1ce9c353a708edfd0f77a486af66e407f7b78583394d7b5f994cd8d2e6e263d25968636d4f1e3dcf0332a815ce3f526a02df3c4ef2890a74521d05d6050917596748c5eeec72b5e6d0e84ff91dfdcbefbbbf441878780f887febb0caf3cbe882ec728bdb8df5677a11348f5787ece3c7c94824b83ab3f31f40e361e600576909b0732af2841bf925ed1875faadcbb0ef316c641e1dcdb61d1fbf80c3443c2fc9454f, and others.
  • [Domain] Command-and-control and phishing domains – downdown[.]ru, dragonfires[.]ru (C2 servers, resolve to 185.125.51[.]5), users-mail[.]ru, deauthorization[.]online (phishing domains harvesting mail.ru credentials).
  • [File Name] Malicious scripts and executables – rezet.cmd, bat.bat, wol.ps1, install.exe, bmcontrol.exe, run.exe, stop.cmd, uninstall.cmd (used in infection and mining control).
  • [IP Address] C2 infrastructure – 185.125.51[.]5 (hosting multiple malicious servers).

Read more: https://securelist.com/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto/116536/

Views: 32

Tags: PASSWORD, BACKUP, PHISHING, COLLECTION, CRYPTO, SMTP, APT, WINDOWS