The hacker group Librarian Ghouls, also known as Rare Werewolf, hacked hundreds of Russian devices for covert cryptocurrency mining. This was reported by specialists from Kaspersky Lab.
Infection Algorithm
The attackers gained access to the systems through phishing emails. They are disguised as messages from real organizations and look like official documents or payment orders.
After infecting the computer with malware, the hackers establish a remote connection and disable protective systems, including Windows Defender. They turn off security systems, such as Windows Defender. Then they configure the device to automatically turn on at midnight and off at five in the morning. According to Kaspersky Lab, this is how the attackers hide their activities from the user.
During this time, they also steal credentials. Before launching the miner, the attackers gather information about the system: amount of RAM, number of CPU cores, and graphics card data. This allows them to optimally configure the program for cryptocurrency mining. While the miner is running, the hackers maintain contact with the pool, sending requests every minute.