A recently discovered malicious threat group called Karakurt has been elusively operating for some time now. Researchers have exposed and uncovered the new threat group’s strategies and procedures by tracking them.
The Karakurt threat group can be classified as financially motivated hackers. Researchers saw the first sightings of the group back in June, with the registration of a couple of domains and the development of a Twitter account. The analysts also noticed that Karakurt’s objectives are exclusive to data-stealing and target extortions. Surprisingly, this malicious threat group is not utilising any form of ransomware to encrypt their target’s files.
Reports say that Karakurt has been on a secret rampage for a couple of months.
The Karakurt threat group claims to have attacked between September and November of 2021 and posted stolen file packs on their official website. During their attacks, analysts noticed that about 95% of their victims are from North America, while the remaining 5% are all from Europe.
Another peculiar fact about the threat group is that they do not have any particular focus or target entities. Their attacks are picked by random or whoever is prone to infections.
The Karakurt threat group primarily utilises VPN details to access a target’s network. They gather these VPN credentials either by sourcing from vendors or phishing them on their own. Their persistence will establish it by deploying the abused Cobalt Strike beacon or, sometimes, the AnyDesk remote access tool. Then, they will steal additional credentials owned by a targeted admin by distributing a tool called Mimikatz and utilising it for undetectable privilege intrusion.
Karakurt will then exfiltrate data using a 7zip and WinZip to compress the stolen files and then send it to Mega.io through FileZilla.
Although the malicious operations seem less damaging than a simple ransomware attack that encrypts stolen files and deletes backups, it can still be hazardous to victims. These attacks can still be dangerous because threat actors can still threaten their victims to publish stolen files, which can also be detrimental to companies that need to keep their data confidential.
