Cybersecurity experts have raised alarms about a significant shift in the tactics of the notorious hacking group known as Librarian Ghouls. The group, previously focused on stealing confidential information through malicious email campaigns targeting office documents, has now expanded its scope to include files used by industrial system modeling and development software.
Evolution of Librarian Ghouls’ Attack Strategy
According to recent findings by Kaspersky Lab, while the core methods and tools employed by the group for malware distribution and data theft remain largely unchanged, there have been notable alterations in their approach. Surprisingly, the hackers continue to use the same domain (hostingforme[.]nl) for exfiltrating stolen data, demonstrating a level of brazenness in their operations.
The most significant changes observed are in the names of files used as bait and the formats of files that the malware collects for transmission to the command and control server. This shift indicates a strategic pivot towards targeting more specialized and potentially valuable industrial data.
Anatomy of the Phishing Campaign
The Librarian Ghouls typically distribute malicious RAR archives containing .SCR files disguised as office documents. When a victim executes such a file, the malware downloads additional payloads, collects data of interest to the attackers, compresses it into archives, and transmits it to the operators.
Email subject lines used in these phishing attempts often include themes related to Russian electronic component catalogs or urgent requests from military-industrial entities. Some examples of file names masquerading as legitimate documents include references to technical specifications, design documentation, and component catalogs.
Expanded Data Collection Scope
While the group continues to target office documents (*.doc, *.docx) and Telegram messenger data, they have significantly expanded their collection parameters. The malware now also harvests files with extensions typical of specialized software used in industrial design and modeling, such as:
- *.dwg (AutoCAD drawing files)
- *.cdw (KOMPAS-3D files)
- *.frw (KOMPAS-3D fragment files)
- *.m3d (KOMPAS-3D 3D model files)
- *.pdf (Portable Document Format files)
This expansion suggests a targeted interest in acquiring intellectual property and sensitive design information from industrial sectors.
Industries at Risk
Researchers warn that the Librarian Ghouls’ target list predominantly consists of enterprises involved in design and engineering activities across various industries. Attempted attacks have been detected against:
- Research institutes of various specializations
- Aerospace and aviation industry enterprises
- Manufacturers of equipment for gas processing, petrochemical, nuclear power, and defense industries
- Producers of diving equipment, communication and radar systems
- Developers of cash register equipment, automotive components, industrial control systems
- Manufacturers of telecommunication equipment, secure communication devices, semiconductor devices, and power modules
The broad range of targeted industries underscores the sophisticated and strategic nature of the Librarian Ghouls’ campaign, potentially aimed at industrial espionage or sabotage on a large scale. Organizations operating in these sectors should exercise heightened vigilance and implement robust cybersecurity measures to protect their valuable intellectual property and sensitive design data from this evolving threat.
As the Librarian Ghouls continue to refine their tactics and expand their targets, it is crucial for businesses, especially those in the industrial and manufacturing sectors, to stay informed about the latest cybersecurity threats and implement comprehensive security strategies. This includes regular security awareness training for employees, up-to-date anti-malware solutions, and strict email filtering policies to mitigate the risk of falling victim to these sophisticated phishing campaigns.