Rewterz Threat Alert – Karakurt Extortion Group – Active IOCs

Severity

High

Analysis Summary

Karakurt is a financially motivated threat actor group active since at least June 2021, focused on data extortion. It collects the information and demands a ransom payment. If the victim organization refuses to pay the ransom, the stolen information is auctioned off or made public, where anybody may scrape and use it for personal gain. This group has already impacted over 40 organizations from various industries and areas.
The Karakurt threat actors often acquire access to victim networks by stealing credentials from different initial access brokers or exploiting popular vulnerabilities such as Log4Shell or Zerologon. Karakurt actors utilize Cobalt Strike Beacon to get access to a victim’s environment, Mimikatz to extract credentials, AnyDesk to establish permanent remote control, and a variety of additional tools for privileges elevation and lateral movement. The data is compressed and exfiltrated in large quantities, usually using open source apps and FTP services. The threat actors then send ransom letters to the victims, alerting them that their company has been hacked and urging them to contact Karakurt for negotiations via a Tor website.

Impact

• Cyber Extortion
• Information Theft

Indicators of Compromise

MD5

• 286aaf0974d06d9b02d11611b2acccef
• ca2883a7f300abd755706d3a9b55916b
• e2bce0f3162076fa56de5215fd31e3ab

SHA-256

• 712733c12ea3b6b7a1bcc032cc02fd7ec9160f5129d9034bf9248b27ec057bd2
• 5e2b2ebf3d57ee58cada875b8fbce536edcbbf59acc439081635c88789c67aca
• 563bc09180fd4bb601380659e922c3f7198306e0caebe99cd1d88cd2c3fd5c1b

SHA-1

• 05a9b0c93f7e1ca272b4236d489f903c399e5faa
• 401341a7a604ae8d80d9240cb54dde5e26a5cfdb
• d18c007d856b98ad09818e62fc05acb755dae86c

Remediation

• Block the threat indicators at their respective controls.
• Search for IOCs in your environment.