Context
On June 1, 2022, the United States Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigations (FBI), the Treasury Department, and the Financial Crimes Enforcement Network released a joint advisory with technical details and indicators of compromise for the Karakurt data extortion group.
Karakurt is an advanced persistent threat (APT) group focused on stealing data and demanding ransom from targets in exchange for not leaking the data. The group is known as particularly aggressive when soliciting ransom, frequently harassing employees, clients, and business partners to pressure the target to cooperate. The group’s website went offline at the beginning of 2022 and the group moved their data leak announcements to deep web forums. Karakurt is also known to exaggerate the extent and severity of their compromises to encourage targets to pay.
Technical Details
Karakurt’s known tactics, techniques, and procedures (TTPs) include:
- Purchasing stolen credentials
- Buying access to targets through intrusion brokers
- Working with other cybercriminal group
Intrusion vectors commonly used by the group include:
- Various SonicWall SSL VPN appliance CVEs
- Log4j
- Phishing and spearphishing
- Malicious macros in email attachments
- Stolen credentials, especially VPN and remote desktop protocol (RDP) credentials
- Various Fortinet Fortigate SSL VPN appliance CVEs
- Outdated Windows server instances
Karakurt is known to deploy Cobalt Strike to enumerate networks and install Mimikatz to steal plain text credentials. Once access to a target system is achieved, Karakurt uses unspecified tools to exfiltrate large amounts of data and in some cases, entire share drives.
IOCs
The joint advisory included the following IOCs:
| Indicator | Type | Notes |
| Mark[.]hubert1986[@]gmail[.]com | ||
| Karakurtlair[@]gmail[.]com | ||
| Personal[.]information[.]reveal[@]gmail[.]com | ||
| ripidelfun1986[@]protonmail[.]com | ||
| armada[.]mitchell94[@]protonmail[.]com | ||
| gapreappballye1979[@]protonmail[.]com | ||
| confedicial[.]datas[.]download[@]protonmail[.]com | ||
| hxxps://omx5iqrdbsoitf3q4xexrqw5r5tfw7vp3vl3li3lfo7saabxazshnead[.]onion | Domain | Onion Site |
| Rclone[.]exe | File | Tool |
| AnyDesk[.]exe | File | Tool |
| 3e625e20d7f00b6d5121bb0a71cfa61f92d658bcd61af2cf5397e0ae28f4ba56 | SHA256 | SSH tunnel application |
| Msuxxx[.]dll | DDL File | DDLs masquerading as legitimate Microsoft binaries to System32 |
| c33129a680e907e5f49bcbab4227c0b02e191770 | SHA1 | DDLs masquerading as legitimate Microsoft binaries to System32 |
| 030394b7a2642fe962a7705dcc832d2c08d006f5 | SHA1 | DDLs masquerading as legitimate Microsoft binaries to System32 |
| 0E50B289C99A35F4AD884B6A3FFB76DE4B6EBC14 | SHA1 | Malicious Document |
| 3[.]bat | File | |
| C[.]bat | File | |
| Filter[.]txt | File | Rclone file extension filter file |
| Rclone[.]conf | File | Rclone configuration file |
| Dllhosts[.]exe | File | Rclone DLL File |
| Msxsl[.]exe | File | Legitimate Microsoft Command Line XSL Transformation Utility |
| 8B516E7BE14172E49085C4234C9A53C6EB490A45 | SHA1 | Legitimate Microsoft Command Line XSL Transformation Utility |
| fdb92fac37232790839163a3cae5f37372db7235 | SHA1 | Rclone |
| 7E654C02E75EC78E8307DBDF95E15529AAAB5DFF | SHA1 | Malicious Document |
| 4D7F4BB3A23EAB33A3A28473292D44C5965DDC95 | SHA1 | Malicious Document |
| 10326C2B20D278080AA0CA563FC3E454A85BB32F | SHA1 | Malicious Document |
| 86366bb7646dcd1a02700ed4be4272cbff5887af | SHA1 | Cobalt Strike |
| 563BC09180FD4BB601380659E922C3F7198306E0CAEBE99CD1D88CD2C3FD5C1B | SHA256 | Cobalt Strike |
| 5E2B2EBF3D57EE58CADA875B8FBCE536EDCBBF59ACC439081635C88789C67ACA | SHA256 | Cobalt Strike |
| 712733C12EA3B6B7A1BCC032CC02FD7EC9160F5129D9034BF9248B27EC057BD2 | SHA256 | Cobalt Strike |
| bc1qfp3ym02dx7m94td4rdaxy08cwyhdamefwqk9hp | Payment Wallet | |
| bc1qw77uss7stz7y7kkzz7qz9gt7xk7tfet8k30xax | Payment Wallet | |
| bc1q8ff3lrudpdkuvm3ehq6e27nczm393q9f4ydlgt | Payment Wallet | |
| bc1qenjstexazw07gugftfz76gh9r4zkhhvc9eeh47 | Payment Wallet | |
| bc1qxfqe0l04cy4qgjx55j4qkkm937yh8sutwhlp4c | Payment Wallet | |
| bc1qrtq27tn34pvxaxje4j33g3qzgte0hkwshtq7sq | Payment Wallet | |
| bc1q25km8usscsra6w2falmtt7wxyga8tnwd5s870g | Payment Wallet | |
| bc1qta70dm5clfcxp4deqycxjf8l3h4uymzg7g6hn5 | Payment Wallet | |
| bc1qrkcjtdjccpy8t4hcna0v9asyktwyg2fgdmc9al | Payment Wallet | |
| bc1q3xgr4z53cdaeyn03luhen24xu556y5spvyspt8 | Payment Wallet | |
| bc1q6s0k4l8q9wf3p9wrywf92czrxaf9uvscyqp0fu | Payment Wallet | |
| bc1qj7aksdmgrnvf4hwjcm5336wg8pcmpegvhzfmhw | Payment Wallet | |
| bc1qq427hlxpl7agmvffteflrnasxpu7wznjsu02nc | Payment Wallet | |
| bc1qz9a0nyrqstqdlr64qu8jat03jx5smxfultwpm0 | Payment Wallet | |
| bc1qq9ryhutrprmehapvksmefcr97z2sk3kdycpqtr | Payment Wallet | |
| bc1qa5v6amyey48dely2zq0g5c6se2keffvnjqm8ms | Payment Wallet | |
| bc1qx9eu6k3yhtve9n6jtnagza8l2509y7uudwe9f6 | Payment Wallet | |
| bc1qtm6gs5p4nr0y5vugc93wr0vqf2a0q3sjyxw03w | Payment Wallet | |
| bc1qqp73up3xff6jz267n7vm22kd4p952y0mhcd9c8 | Payment Wallet |
