New ‘Karakurt’ cybercrime gang focuses on data theft and extortion

Accenture researchers detailed the activity of a new sophisticated cybercrime group, called Karakurt, behind recent cyberattacks.

Accenture researchers detailed the activity of a sophisticated financially motivated threat actor called Karakurt. The activity of the group was first spotted in June 2021, but the group has been more active in Q3 2021.

In June 2021 the gang registered the domains hosting its leak sites, karakurt[.]group and karakurt[.]tech, while in August the group registered a Twitter account with the handle “karakurtlair.” .

The group focuses on data theft and extortion, but the researchers pointed out that it doesn’t use ransomware.

Between September 2021 and November 2021, the group hit over 40 victims across multiple industries.

The actors focus almost exclusively on data exfiltration and extortion and are not using ransomware to lock their victims’ files.

“Accenture Security has identified a new threat group, the self-proclaimed Karakurt Hacking Team, that has impacted over 40 victims across multiple geographies. The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big game hunting approach.” reads the analysis published by Accenture. “Based on intrusion analysis to date, the threat group focuses solely on data exfiltration and subsequent extortion, rather than the more destructive ransomware deployment.”

Most of the known victims (95%) are based in North America, while the remaining 5% are in Europe. 

The analysis of the attack chain associated with this threat actor revealed that it primarily leverages VPN credentials to gain initial access to the target’s network.

In the initial attacks, the group gained persistence by using the popular post-exploitation tool Cobalt Strike. In recent attacks, the group switched on VPN IP pool or AnyDesk software to establish persistence and avoid detection.

Once gained access to the target network, the group uses various tools to escalate privileges, including Mimikatz or PowerShell to steal ntds.dit that contains Active Directory data.

However, the threat group in most attacks escalated privileges using previously obtained credentials.

For data exfiltration the group has been seen utilizing 7zip and WinZip for compression, as well as Rclone or FileZilla (SFTP) to upload data to cloud storage.

The report includes MITRE ATT&CK Tactics and techniques observed for this threat actor along with suggested mitigations,

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Karakurt)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.