Librarian Ghouls, an APT group targeting entities in Russia and the CIS, has been conducting a campaign involving targeted phishing emails with malicious archives. The attackers use legitimate third-party software and scripts to establish remote access, steal credentials, and deploy an XMRig crypto miner. Their tactics include disabling security measures, scheduling tasks to cover their tracks, and exfiltrating sensitive data. The campaign primarily affects industrial enterprises and engineering schools in Russia, with some victims in Belarus and Kazakhstan. The group continues to refine its methods, focusing on data exfiltration, remote access, and email account compromise through phishing sites. Author: AlienVault
Related Tags:
cis
legitimate tools
crypto mining
T1588.002
T1036.005
T1566.001
T1053.005
data theft
T1070.004
Associated Indicators:
8BDB8DF5677A11348F5787ECE3C7C94824B83AB3F31F40E361E600576909B073
6954EAED33A9D0CF7E298778EC82D31BFBDF40C813C6AC837352CE676793DB74
CAB1C4C675F1D996B659BAB1DDB38AF365190E450DEC3D195461E4E4CCF1C286
01793E6F0D5241B33F07A3F9AD34E40E056A514C5D23E14DC491CEE60076DC5A
977054802DE7B583A38E0524FEEFA7356C47C53DD49DE8C3D533E7689095F9AC
649EE35AD29945E8DD6511192483DDDFDFE516A1312DE5E0BD17FDD0A258C27F
2F3D67740BB7587FF70CC7319E9FE5C517C0E55345BF53E01B3019E415FF098B
A6FF418F0DB461536CFF41E9C7E5DBA3EE3B405541519820DB8A52B6D818A01E
DFAC7CD8D041A53405CC37A44F100F6F862ED2D930E251F4BF22F10235DB4BB3