Rare Werewolf APT using legitimate software to target Russian networks

A hacking group is exploiting everyday tools to breach industrial and academic systems across Russia and neighboring states.

What happened

A threat actor known as Rare Werewolf (formerly Rare Wolf) has been identified as the source of cyberattacks affecting hundreds of users in Russia, Belarus, and Kazakhstan. The group, active since at least 2019, targets industrial enterprises and engineering schools, using legitimate software to hide its tracks and carry out credential theft and crypto-mining.

Security researchers at Kaspersky reported that the group leverages phishing emails and common software tools rather than custom malware. The campaign primarily tries to gain remote access, extract sensitive credentials, and deploy the XMRig cryptocurrency miner.

Going deeper

The attackers begin by sending phishing emails containing password-protected archives with executable files. Once opened, these archives install a legitimate tool, 4t Tray Minimizer, alongside other components, including a PDF decoy document. This tool helps conceal malicious processes by minimizing them to the system tray, making the intrusion harder to detect.

From there, the malware downloads additional tools from a remote server, including:

• Defender Control, used to disable antivirus protection
• Blat, a utility for sending stolen data via email
• AnyDesk, a remote desktop tool enabling control over compromised machines
• Batch and PowerShell scripts, which schedule system wake-ups and shutdowns to limit attacker exposure
  
  
• A PowerShell script schedules remote access at 1 a.m. and automatically shuts the system down by 5 a.m., creating a consistent but hard-to-trace pattern of access.

What was said

Kaspersky states that the use of widely available tools rather than custom malware makes these operations difficult to attribute and detect. All malicious actions are executed through scripts and trusted software, blurring the line between legitimate and harmful activity.

In a related update, Positive Technologies disclosed another campaign by a group called DarkGaboon, which is deploying LockBit 3.0 ransomware against Russian entities. Though unrelated to Rare Werewolf, the group also uses phishing and off-the-shelf tools to obscure its tracks.

FAQs

What makes attacks using legitimate software harder to detect?

Security tools often whitelist or ignore well-known applications. When attackers use these tools maliciously, their actions appear normal to antivirus and monitoring systems.

How do PowerShell and batch scripts factor into advanced attacks?

Scripts allow attackers to automate tasks like data theft, remote access, and persistence without triggering alarms associated with binary malware.

Why target industrial and academic institutions in Russia?

These sectors often store sensitive intellectual property, credentials, and infrastructure details, making them valuable targets for espionage or financially motivated attacks.

What is the benefit of scheduling access during overnight hours?

Nighttime access reduces the likelihood of user detection and allows attackers to operate in a quiet system environment, increasing operational success.