{ "type": "URL", "indicator": "https://karakurt.group", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://karakurt.group", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3464804323, "indicator": "https://karakurt.group", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "62986c1750cc114c19b706ce", "name": "Karakurt Data Extortion Group", "description": "The Karakurt data extortion group has targeted victims across North America and Europe, demanding a ransom of up to $13,000 (\u00a37,500) for the return of stolen data.", "modified": "2022-06-02T07:51:50.425000", "created": "2022-06-02T07:51:50.425000", "tags": [ "karakurt", "data extortion", "log4shell" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-152a" ], "public": 1, "adversary": "Karakurt", "targeted_countries": [], "malware_families": [ { "id": "Karakurt", "display_name": "Karakurt", "target": null } ], "attack_ids": [ { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 370, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 7, "BitcoinAddress": 19, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 12, "FileHash-SHA256": 5, "URL": 2, "domain": 2 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 386551, "modified_text": "1459 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708f66513978034c1c91b0", "name": "Undefined Name", "description": "", "modified": "2023-12-06T15:12:38.363000", "created": "2023-12-06T15:12:38.363000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 256, "domain": 159, "FileHash-MD5": 179, "FileHash-SHA1": 168, "URL": 96, "IPv4": 85, "hostname": 21 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "633dc0613d076fce1011ab10", "name": "Karakurt Data Extortion Group | CISA", "description": "The Karakurt data extortion group has targeted victims across North America and Europe and is demanding a ransom of up to $13,000 (\u00c2\u00a37,500) in Bitcoin for the return of their data.", "modified": "2022-10-05T17:35:29.996000", "created": "2022-10-05T17:35:29.996000", "tags": [ "karakurt", "data extortion", "mitre", "cobalt strike", "uscert", "csirt", "cert", "cybersecurity", "cyber security", "computer security", "u. s. computer emergency readiness", "cyber risks", "sha256", "sha1", "technique title", "t1133", "log4shell", "t1190", "protocol", "t1078", "mimikatz", "anydesk", "apache", "phishing", "malicious", "persistence", "team", "bitcoin", "ransom" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-152a" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Mitre", "display_name": "Mitre", "target": null }, { "id": "Data Extortion", "display_name": "Data Extortion", "target": null }, { "id": "Karakurt", "display_name": "Karakurt", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dagger-1", "id": "202493", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 19, "FileHash-MD5": 7, "FileHash-SHA1": 13, "FileHash-SHA256": 6, "URL": 2, "domain": 2 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "1333 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62a240e3ecd94ddae472eb6a", "name": "test", "description": "", "modified": "2022-07-09T00:01:52.431000", "created": "2022-06-09T18:50:11.481000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "626d6d47f6da18014c30df7e", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "threatmanager", "id": "74623", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 179, "FileHash-SHA1": 168, "FileHash-SHA256": 256, "domain": 159, "IPv4": 85, "hostname": 21, "URL": 96 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 510, "modified_text": "1422 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62994ccf1a5f3d7f4bf593e0", "name": "Karakurt Data Extortion Group", "description": "", "modified": "2022-06-02T23:50:39.754000", "created": "2022-06-02T23:50:39.754000", "tags": [ "US-Cert", "CobaltStrike", "SpearPhishing", "Extortion", "Phishing", "Log4j" ], "references": [ "https://community.riskiq.com/article/d52011d3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "FileHash-SHA256": 3 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "1458 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "629858a70c35368282713371", "name": "Karakurt Data Extortion Group | CISA", "description": "The Karakurt data extortion group has targeted victims across North America and Europe, demanding a ransom of up to $13,000 (\u00c2\u00a37,500) for the return of stolen data.", "modified": "2022-06-02T06:28:55.840000", "created": "2022-06-02T06:28:55.840000", "tags": [ "karakurt", "data extortion", "mitre", "cobalt strike", "uscert", "csirt", "cert", "cybersecurity", "cyber security", "computer security", "u. s. computer emergency readiness", "cyber risks", "sha256", "sha1", "technique title", "t1133", "log4shell", "t1190", "protocol", "t1078", "mimikatz", "anydesk", "apache", "phishing", "malicious", "persistence", "team", "bitcoin", "ransom" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-152a" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Karakurt", "display_name": "Karakurt", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Mitre", "display_name": "Mitre", "target": null }, { "id": "Data Extortion", "display_name": "Data Extortion", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 10, "BitcoinAddress": 19, "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 13, "FileHash-SHA256": 5, "URL": 2, "domain": 2, "hostname": 1 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 866, "modified_text": "1459 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6297a0b0e90016b0d442c6a1", "name": "Karakurt Data Extortion Group | CISA", "description": "The Karakurt data extortion group has targeted victims across North America and Europe, demanding a ransom of up to $13,000 (\u00c2\u00a37,500) for the return of stolen data.", "modified": "2022-06-01T17:24:00.416000", "created": "2022-06-01T17:24:00.416000", "tags": [ "karakurt", "data extortion", "mitre", "cobalt strike", "uscert", "csirt", "cert", "cybersecurity", "cyber security", "computer security", "u. s. computer emergency readiness", "cyber risks", "sha256", "sha1", "technique title", "t1133", "log4shell", "t1190", "protocol", "t1078", "mimikatz", "anydesk", "apache", "phishing", "malicious", "persistence", "team", "bitcoin", "ransom" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-152a" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Karakurt", "display_name": "Karakurt", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Mitre", "display_name": "Mitre", "target": null }, { "id": "Data Extortion", "display_name": "Data Extortion", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 7, "BitcoinAddress": 19, "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 13, "FileHash-SHA256": 5, "URL": 2, "domain": 2 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 566, "modified_text": "1459 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://community.riskiq.com/article/d52011d3", "https://www.cisa.gov/uscert/ncas/alerts/aa22-152a" ], "related": { "alienvault": { "adversary": [ "Karakurt" ], "malware_families": [ "Karakurt" ], "industries": [], "unique_indicators": 53 }, "other": { "adversary": [], "malware_families": [ "Mitre", "Cobalt strike", "Karakurt", "Data extortion" ], "industries": [], "unique_indicators": 1001 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/karakurt.group", "whois": "http://whois.domaintools.com/karakurt.group", "domain": "karakurt.group", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "62986c1750cc114c19b706ce", "name": "Karakurt Data Extortion Group", "description": "The Karakurt data extortion group has targeted victims across North America and Europe, demanding a ransom of up to $13,000 (\u00a37,500) for the return of stolen data.", "modified": "2022-06-02T07:51:50.425000", "created": "2022-06-02T07:51:50.425000", "tags": [ "karakurt", "data extortion", "log4shell" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-152a" ], "public": 1, "adversary": "Karakurt", "targeted_countries": [], "malware_families": [ { "id": "Karakurt", "display_name": "Karakurt", "target": null } ], "attack_ids": [ { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 370, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 7, "BitcoinAddress": 19, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 12, "FileHash-SHA256": 5, "URL": 2, "domain": 2 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 386551, "modified_text": "1459 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708f66513978034c1c91b0", "name": "Undefined Name", "description": "", "modified": "2023-12-06T15:12:38.363000", "created": "2023-12-06T15:12:38.363000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 256, "domain": 159, "FileHash-MD5": 179, "FileHash-SHA1": 168, "URL": 96, "IPv4": 85, "hostname": 21 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "633dc0613d076fce1011ab10", "name": "Karakurt Data Extortion Group | CISA", "description": "The Karakurt data extortion group has targeted victims across North America and Europe and is demanding a ransom of up to $13,000 (\u00c2\u00a37,500) in Bitcoin for the return of their data.", "modified": "2022-10-05T17:35:29.996000", "created": "2022-10-05T17:35:29.996000", "tags": [ "karakurt", "data extortion", "mitre", "cobalt strike", "uscert", "csirt", "cert", "cybersecurity", "cyber security", "computer security", "u. s. computer emergency readiness", "cyber risks", "sha256", "sha1", "technique title", "t1133", "log4shell", "t1190", "protocol", "t1078", "mimikatz", "anydesk", "apache", "phishing", "malicious", "persistence", "team", "bitcoin", "ransom" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-152a" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Mitre", "display_name": "Mitre", "target": null }, { "id": "Data Extortion", "display_name": "Data Extortion", "target": null }, { "id": "Karakurt", "display_name": "Karakurt", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dagger-1", "id": "202493", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 19, "FileHash-MD5": 7, "FileHash-SHA1": 13, "FileHash-SHA256": 6, "URL": 2, "domain": 2 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "1333 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62a240e3ecd94ddae472eb6a", "name": "test", "description": "", "modified": "2022-07-09T00:01:52.431000", "created": "2022-06-09T18:50:11.481000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "626d6d47f6da18014c30df7e", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "threatmanager", "id": "74623", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 179, "FileHash-SHA1": 168, "FileHash-SHA256": 256, "domain": 159, "IPv4": 85, "hostname": 21, "URL": 96 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 510, "modified_text": "1422 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62994ccf1a5f3d7f4bf593e0", "name": "Karakurt Data Extortion Group", "description": "", "modified": "2022-06-02T23:50:39.754000", "created": "2022-06-02T23:50:39.754000", "tags": [ "US-Cert", "CobaltStrike", "SpearPhishing", "Extortion", "Phishing", "Log4j" ], "references": [ "https://community.riskiq.com/article/d52011d3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "FileHash-SHA256": 3 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "1458 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "629858a70c35368282713371", "name": "Karakurt Data Extortion Group | CISA", "description": "The Karakurt data extortion group has targeted victims across North America and Europe, demanding a ransom of up to $13,000 (\u00c2\u00a37,500) for the return of stolen data.", "modified": "2022-06-02T06:28:55.840000", "created": "2022-06-02T06:28:55.840000", "tags": [ "karakurt", "data extortion", "mitre", "cobalt strike", "uscert", "csirt", "cert", "cybersecurity", "cyber security", "computer security", "u. s. computer emergency readiness", "cyber risks", "sha256", "sha1", "technique title", "t1133", "log4shell", "t1190", "protocol", "t1078", "mimikatz", "anydesk", "apache", "phishing", "malicious", "persistence", "team", "bitcoin", "ransom" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-152a" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Karakurt", "display_name": "Karakurt", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Mitre", "display_name": "Mitre", "target": null }, { "id": "Data Extortion", "display_name": "Data Extortion", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 10, "BitcoinAddress": 19, "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 13, "FileHash-SHA256": 5, "URL": 2, "domain": 2, "hostname": 1 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 866, "modified_text": "1459 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6297a0b0e90016b0d442c6a1", "name": "Karakurt Data Extortion Group | CISA", "description": "The Karakurt data extortion group has targeted victims across North America and Europe, demanding a ransom of up to $13,000 (\u00c2\u00a37,500) for the return of stolen data.", "modified": "2022-06-01T17:24:00.416000", "created": "2022-06-01T17:24:00.416000", "tags": [ "karakurt", "data extortion", "mitre", "cobalt strike", "uscert", "csirt", "cert", "cybersecurity", "cyber security", "computer security", "u. s. computer emergency readiness", "cyber risks", "sha256", "sha1", "technique title", "t1133", "log4shell", "t1190", "protocol", "t1078", "mimikatz", "anydesk", "apache", "phishing", "malicious", "persistence", "team", "bitcoin", "ransom" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-152a" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Karakurt", "display_name": "Karakurt", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Mitre", "display_name": "Mitre", "target": null }, { "id": "Data Extortion", "display_name": "Data Extortion", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 7, "BitcoinAddress": 19, "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 13, "FileHash-SHA256": 5, "URL": 2, "domain": 2 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 566, "modified_text": "1459 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://karakurt.group", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://karakurt.group", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780243051.16818 }