Overview
QiAnXin Threat Intelligence Center released a report last year titled "Operation (верность) mercenary: The Steel Torrent Trapped in the Eastern European Plains", which detailed the Conti Group's penetration attack activities in the first half of 2022. It is worth noting that we found ransom notes left by the Karakurt Group at some of the attack sites, which indirectly confirms that Karakurt Group had collaborated with Conti Group. Foreign researchers believe that Karakurt Group, as Conti Group's red team, was specifically used for penetration attacks [1]. Based on the cases we observed, the tactics and C2 infrastructure used in Conti-related ransom events are indeed closely related to Karakurt Group. Since Conti Group has been disbanded, no further valuable information can be obtained. However, we observed that the emerging Quantum ransomware software seems to have a deep connection with Karakurt Group.
As a supplement to Operation Mercenary, this article mainly focuses on other activities of Karakurt Group in 2022. The relevant IOCs are no longer active and are only provided for reference to our industry peers.
Attack Event
The earliest attack surface we observed was a phishing email targeting the credible mailboxes of relevant enterprises, which contained a malicious attachment compressed with a password to bypass email detection.
The compressed package contains ISO files, and the bat and dll files have been set with hidden attributes, inducing victims to click on the lnk file named "documents".
The lnk file points to the bat script in the same directory.
The early lnk files used by the attacker had the word "test", which allowed us to obtain the path of the lnk file generated by the attacker. The test time was shown as June 6, 2022.
| - |
|---|
| Path |
| C:\Users\lamar\Desktop\test link\ |
The later lnk files delivered by the attacker deleted the relevant debug information.
The main function of the bat file is to call the first exported function of the sta4m7om.dll file in the same directory,
which is a confuser that loads shellcode into memory. The second-stage shellcode will detect the running environment to resist sandboxing, and eventually load IcedID into memory.
The C2 for IcedID is as follows:
| - |
|---|
| CC |
| dullthingpur.com |
| toughflatlying.com |
| ettermangusta.com |
| wagringamuk.com |
| ebothlips.com |
Later, IcedID deployed a loader named "lsass.dll" to load CobaltStrike into memory.,
| - | - |
|---|---|
| MD5 | |
| 4dffb8cc2823b938bdd35506ec79b6bf |
The attacker attempted to attack the domain controller within the intranet and successfully obtained the domain administrator's account password. Then, the attacker used the domain administrator's account password to execute PowerShell commands on other machines under the domain controller, trying to load CS into memory, but was intercepted by Tianqing.
Subsequently, the attacker logged in to the target machine via RDP and manually added the Trojan to the antivirus whitelist before executing it. We discovered penetration tools such as mimikatz in the Tianqing isolation area. During the attacker's traversal of the internal network, a total of three CobaltStrike C2s were used.
| - |
|---|
| CC |
| 111.90.146.218:8443 |
| 101.99.90.111:443 |
| 172.93.181.165:443(fazehotafa.com) |
When the time was ripe, the attacker logged in to the victim's machine via RDP, exited the antivirus, and then distributed encryption programs in bulk under C:\ProgramData, delivering the Quantum ransomware.
| - | - |
|---|---|
| Md5 | Name |
| 2db78a7e5bf1854ba24d29b0141e70f9 | 32.exe |
| fac17fa9794d40d175becc4321f26c86 | 32.dll |
Quantum has always been believed to be operated by Conti Group Team Two and is a replacement for Conti ransomware.
One of the C2s (fazehotafa.com) used by the attacker during lateral movement within the internal network overlaps with the recently released Quantum ransomware report by a foreign DFIR [2] company. It's worth noting that the report by the foreign company also includes another domain, guteyutu.com, which has the same origin as the Karakurt Group activities that we monitored in the first half of 2022. Given the close relationship between Karakurt Group and old Conti, we believe that Karakurt Group has been deeply involved in the delivery process of the Quantum ransomware.
In addition to using traditional tools like CobaltStrike, msf, and Anydesk in other Karakurt Group activities, we also observed the use of open-source backdoor Gomet as a backup to maintain control over key servers.
| - | - |
|---|---|
| Md5 | CC |
| d037d22495a7f724ab619e736fd67def | 45.76.211.131:8888 |
| d6ae42478de3e5d864a5d6358ca1ac48 | 141.164.50.109:8888 |
Although the event occurred more than half a year ago, the samples still have a high evasion rate on VirusTotal.
Based on the correlation analysis of QiAnXin's big data platform, we have a moderate to high degree of confidence that the foreign company's Cisco breach event [3] is related to the Karakurt Group.
Summary
All of QiAnXin's threat intelligence products, including the QiAnXin Threat Intelligence Platform (TIP), Tianqing, Tianyan Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situation Awareness, now support precise detection of such attacks.
IOC
MD5:
15dd0873cb6bef0c8e89a0319a202c3a
93787c6a5ba46605c0916be28ef52bf1
fac17fa9794d40d175becc4321f26c86
2db78a7e5bf1854ba24d29b0141e70f9
4dffb8cc2823b938bdd35506ec79b6bf
d037d22495a7f724ab619e736fd67def
d6ae42478de3e5d864a5d6358ca1ac48
3087bb457048fee050089a82c2671eaf
C2:
dullthingpur.com
toughflatlying.com
ettermangusta.com
wagringamuk.com
ebothlips.com
fazehotafa.com
111.90.146.218:8443
101.99.90.111:443
172.93.181.165:443
45.76.211.131:8888
141.164.50.109:8888
Reference Links
[1]. https://www.secureworld.io/industry-news/karakurt-ransomware-conti [2]. https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/](https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/) [3]. https://blog.talosintelligence.com/recent-cyber-attack/