First seen in June 2021, the hacking group Karakurt has continually increased its attacks. The financially motivated group focuses on data theft and extortion. Researchers have recently exposed the group’s tactics and procedures noting they primarily use virtual private network (VPN) credentials to gain initial access to a victim’s network. The group either buys the credentials on the dark web or uses phishing campaigns to obtain them. Researchers indicate the group recently switched from the Cobalt Strike remote access tool to AnyDesk, as Cobalt Strike has become more aggressively detected by security software. Once on a network, the threat actors continue to steal additional credentials by employing Mimikatz and exfiltrate data using 7zip and WinZip. The group posts the stolen data to their leak site and threatens to publish it if not paid. Although the group does not encrypt data and wipe backups, the attacks can be very detrimental to an organization.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased