As of late, a new money-driven attack group has been on the upswing, and unlike previous groups, it does not appear to be interested in spreading ransomware or attacking high-profile targets.
Accenture Security researchers have been investigating a group that calls itself "Karakurt," meaning "black wolf" in Turkish, and is also the name of a deadly spider prevalent in eastern Europe and Siberia.
Karakurt specializes in data exfiltration and eventual extortion, which allows them to operate swiftly. It already has claimed the lives of more than 40 people until September, with 95 percent of them in North America and the rest in Europe, according to a paper released on Friday by academics.
Experts suggest Karakurt would be a trend-setter, and shortly, similar groups may shift away from attacking large corporations or critical-infrastructure providers with ransomware and instead take a similar exfiltration/extortion technique.
“The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big-game hunting approach,” read the report.
According to Accenture CIFR researchers, Karakurt was originally spotted by investigators outside of Accenture Security in June since it started building up its network and data-leak platforms. In August, the group registered the domains karakurt.group and karakurt.tech, as well as the Twitter, handle @karakurtlair. Shortly the organization launched its first successful attack.
Accenture Security's collecting sources and intrusion research discovered the organization's first target in September; two months later, the group revealed their victim on the karakurt.group website.
Karakurt's tactics, techniques, and procedures (TTP) for infiltrating victim infrastructures, accomplishing persistence, relocating laterally, and stealing data are similar to those used by numerous threat actors and the group frequently takes a "living off the land" strategy relying on the attack surface, i.e., utilizing tools or features which already belong across the targeted system.
Karakurt primarily employs service installation, remote-management software, and the delivery of command-and-control (C2) beacons throughout victim environments via Cobalt Strike to sustain persistence once connected to a network.
However, experts have noticed that the group recently appears to have changed methods in its implementation of backup persistence. Karakurt "persisted within the victim's network via the VPN IP pool or installed AnyDesk to allow external remote access to compromised devices" rather than delivering Cobalt Strike, they stated. This enables the gang to migrate laterally by leveraging previously obtained user, service, and administrator personal information.
Researchers stated the gang will also employ additional remote-management technologies, such as remote desktop protocol (RDP), Cobalt Strike, and PowerShell commands, to travel laterally and uncover relevant data to steal and exploit for extortion reasons as needed.
Nevertheless, the group's assault pattern thus far demonstrates that it is adaptable enough to change its techniques based on the victim's circumstances. Karakurt can also avoid detection in many circumstances since it frequently utilizes authorized credentials to access websites.
Ultimately, Karakurt employs 7zip and WinZip for data compression, along with Rclone or FileZilla (SFTP) for staging and final exfiltration to Mega.io cloud storage, to steal information. Also according to Accenture Security, the staging folders utilized to exfiltrate data in assaults were C:Perflogs and C:Recovery.
Researchers offered standard mitigation recommendations to enterprises to prevent being penetrated and extorted by Karakurt, which will call them several times to put pressure over them to pay once their data has been stolen.