Joint Federal Advisory on Karakurt Data Extortion Group Technical Details

Karakurt is an advanced persistent threat (APT) group focused on stealing data and demanding ransom from targets in exchange for not leaking the data.
Skull with ransomware key
Share on twitter
Share on linkedin

Context

On June 1, 2022, the United States Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigations (FBI), the Treasury Department, and the Financial Crimes Enforcement Network released a joint advisory with technical details and indicators of compromise for the Karakurt data extortion group.

Karakurt is an advanced persistent threat (APT) group focused on stealing data and demanding ransom from targets in exchange for not leaking the data. The group is known as particularly aggressive when soliciting ransom, frequently harassing employees, clients, and business partners to pressure the target to cooperate. The group’s website went offline at the beginning of 2022 and the group moved their data leak announcements to deep web forums. Karakurt is also known to exaggerate the extent and severity of their compromises to encourage targets to pay.

Technical Details

Karakurt’s known tactics, techniques, and procedures (TTPs) include:

  • Purchasing stolen credentials
  • Buying access to targets through intrusion brokers
  • Working with other cybercriminal group

 

Intrusion vectors commonly used by the group include:

  • Various SonicWall SSL VPN appliance CVEs
  • Log4j
  • Phishing and spearphishing
  • Malicious macros in email attachments
  • Stolen credentials, especially VPN and remote desktop protocol (RDP) credentials
  • Various Fortinet Fortigate SSL VPN appliance CVEs
  • Outdated Windows server instances

Karakurt is known to deploy Cobalt Strike to enumerate networks and install Mimikatz to steal plain text credentials. Once access to a target system is achieved, Karakurt uses unspecified tools to exfiltrate large amounts of data and in some cases, entire share drives.

IOCs

The joint advisory included the following IOCs:

Indicator  Type Notes
Mark[.]hubert1986[@]gmail[.]com Email
Karakurtlair[@]gmail[.]com Email
Personal[.]information[.]reveal[@]gmail[.]com Email
ripidelfun1986[@]protonmail[.]com Email
armada[.]mitchell94[@]protonmail[.]com Email
gapreappballye1979[@]protonmail[.]com Email
confedicial[.]datas[.]download[@]protonmail[.]com Email
hxxps://omx5iqrdbsoitf3q4xexrqw5r5tfw7vp3vl3li3lfo7saabxazshnead[.]onion Domain Onion Site
Rclone[.]exe File Tool
AnyDesk[.]exe File Tool
3e625e20d7f00b6d5121bb0a71cfa61f92d658bcd61af2cf5397e0ae28f4ba56 SHA256 SSH tunnel application
Msuxxx[.]dll DDL File DDLs masquerading as legitimate Microsoft binaries to System32
c33129a680e907e5f49bcbab4227c0b02e191770 SHA1 DDLs masquerading as legitimate Microsoft binaries to System32
030394b7a2642fe962a7705dcc832d2c08d006f5 SHA1 DDLs masquerading as legitimate Microsoft binaries to System32
0E50B289C99A35F4AD884B6A3FFB76DE4B6EBC14 SHA1 Malicious Document
3[.]bat File
C[.]bat File
Filter[.]txt File Rclone file extension filter file
Rclone[.]conf File Rclone configuration file
Dllhosts[.]exe File Rclone DLL File
Msxsl[.]exe File Legitimate Microsoft Command Line XSL Transformation Utility
8B516E7BE14172E49085C4234C9A53C6EB490A45 SHA1 Legitimate Microsoft Command Line XSL Transformation Utility
fdb92fac37232790839163a3cae5f37372db7235 SHA1 Rclone
7E654C02E75EC78E8307DBDF95E15529AAAB5DFF SHA1 Malicious Document
4D7F4BB3A23EAB33A3A28473292D44C5965DDC95 SHA1 Malicious Document
10326C2B20D278080AA0CA563FC3E454A85BB32F SHA1 Malicious Document
86366bb7646dcd1a02700ed4be4272cbff5887af SHA1 Cobalt Strike
563BC09180FD4BB601380659E922C3F7198306E0CAEBE99CD1D88CD2C3FD5C1B SHA256 Cobalt Strike
5E2B2EBF3D57EE58CADA875B8FBCE536EDCBBF59ACC439081635C88789C67ACA SHA256 Cobalt Strike
712733C12EA3B6B7A1BCC032CC02FD7EC9160F5129D9034BF9248B27EC057BD2 SHA256 Cobalt Strike
bc1qfp3ym02dx7m94td4rdaxy08cwyhdamefwqk9hp Payment Wallet
bc1qw77uss7stz7y7kkzz7qz9gt7xk7tfet8k30xax Payment Wallet
bc1q8ff3lrudpdkuvm3ehq6e27nczm393q9f4ydlgt Payment Wallet
bc1qenjstexazw07gugftfz76gh9r4zkhhvc9eeh47 Payment Wallet
bc1qxfqe0l04cy4qgjx55j4qkkm937yh8sutwhlp4c Payment Wallet
bc1qrtq27tn34pvxaxje4j33g3qzgte0hkwshtq7sq Payment Wallet
bc1q25km8usscsra6w2falmtt7wxyga8tnwd5s870g Payment Wallet
bc1qta70dm5clfcxp4deqycxjf8l3h4uymzg7g6hn5 Payment Wallet
bc1qrkcjtdjccpy8t4hcna0v9asyktwyg2fgdmc9al Payment Wallet
bc1q3xgr4z53cdaeyn03luhen24xu556y5spvyspt8 Payment Wallet
bc1q6s0k4l8q9wf3p9wrywf92czrxaf9uvscyqp0fu Payment Wallet
bc1qj7aksdmgrnvf4hwjcm5336wg8pcmpegvhzfmhw Payment Wallet
bc1qq427hlxpl7agmvffteflrnasxpu7wznjsu02nc Payment Wallet
bc1qz9a0nyrqstqdlr64qu8jat03jx5smxfultwpm0 Payment Wallet
bc1qq9ryhutrprmehapvksmefcr97z2sk3kdycpqtr Payment Wallet
bc1qa5v6amyey48dely2zq0g5c6se2keffvnjqm8ms Payment Wallet
bc1qx9eu6k3yhtve9n6jtnagza8l2509y7uudwe9f6 Payment Wallet
bc1qtm6gs5p4nr0y5vugc93wr0vqf2a0q3sjyxw03w Payment Wallet
bc1qqp73up3xff6jz267n7vm22kd4p952y0mhcd9c8 Payment Wallet

More Recent Blog Posts

RH-ISAC Cyber Intelligence Summit Sept. 2021 Dallas, TX

Register for Summit

Our biggest event of the year is back in person on September 20-21! Join your RH-ISAC peers in Dallas for this annual two-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.