Researchers who tracked recent strikes by the hackers disclosed the strategies and processes of a sophisticated cybercrime group that has been silently operating in the shadows. The hacker gang, known as ‘Karakurt,’ is a profit-driven threat actor that increased its cyber-attacks in Q3 2021. The registration of two domains and the formation of a Twitter handle was the first evidence of Karakurt activity in June 2021.
The criminals are almost entirely focused on data theft and extortion, and they do not use ransomware to encrypt their victims’ files. Accenture Security analysts tracked the group’s “living off the land” strategies, toolset, and penetration techniques for the study on Karakurt. Between September and November 2021, the threat organization claims to have penetrated over 40 victims and has distributed downloadable stolen file packs on its websites.
Nearly 95 percent of the victims are from North America, and the remaining belong to Europe. Because Karakurt isn’t centered on a specific business, so the victimology looks haphazard. To get access to a victim’s network for the first time, the actor typically uses VPN credentials, which he obtains from merchants or phishes himself. Karakurt demonstrated his tenacity by abandoning the frequently misused Cobalt Strike remote access program, however in subsequent attacks, he has shifted to AnyDesk.
AnyDesk has grown in popularity among threat actors, such as the Conti ransomware group since Cobalt Strike beacons have become more aggressively identified by security tools. The perpetrator then uses Mimikatz to gain more administrator credentials and exploit them for undetected privilege escalation.
“In one intrusion, Accenture Security also observed the threat group avoiding the use of common post-exploitation tools or commodity malware in favor of credential access,” clarified the report by Accenture.
“This approach enabled it to evade detection and bypass security tools such as common endpoint detection and response (EDR) solutions.”
Karakurt compresses the files with 7zip and WinZip before sending them to Mega.io via Rclone or FileZilla. While these cyberattacks may appear less harmful than ransomware outbreaks that encrypt data and delete backups, they can nonetheless be quite disruptive. Threatening to expose stolen information may drive a corporation to its knees, even if its operational condition is unaffected, and implementing attacks requires minimal overhead.
As a result, new hacking organizations like SnapMC focus entirely on data exfiltration and extortion as a threat model. However, paying a ransom doesn’t guarantee that stolen data will be wiped or sold to others. Thus, it’s never a good idea to pay a ransom to avoid a data breach. Instead, businesses should focus on protection, prevention, and detection techniques to keep these dangers off their networks.