S0094 Trojan.Karagany
Trojan.Karagany is a modular remote access tool used for recon and linked to Dragonfly. The source code for Trojan.Karagany originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. 321
| Item | Value |
|---|---|
| ID | S0094 |
| Associated Names | xFrost, Karagany |
| Type | MALWARE |
| Version | 3.0 |
| Created | 31 May 2017 |
| Last Modified | 19 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| xFrost | 2 |
| Karagany | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Trojan.Karagany can communicate with C2 via HTTP POST requests.2 |
| enterprise | T1010 | Application Window Discovery | Trojan.Karagany can monitor the titles of open windows to identify specific keywords.2 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Trojan.Karagany can create a link to itself in the Startup folder to automatically start itself upon system restart.32 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Trojan.Karagany can perform reconnaissance commands on a victim machine via a cmd.exe process.2 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | Trojan.Karagany can steal data and credentials from browsers.2 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Trojan.Karagany can create directories to store plugin output and stage data for exfiltration.32 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | Trojan.Karagany can secure C2 communications with SSL and TLS.2 |
| enterprise | T1083 | File and Directory Discovery | Trojan.Karagany can enumerate files and directories on a compromised host.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Trojan.Karagany has used plugins with a self-delete capability.2 |
| enterprise | T1105 | Ingress Tool Transfer | Trojan.Karagany can upload, download, and execute files on the victim.32 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Trojan.Karagany can capture keystrokes on a compromised host.2 |
| enterprise | T1027 | Obfuscated Files or Information | Trojan.Karagany can base64 encode and AES-128-CBC encrypt data prior to transmission.2 |
| enterprise | T1027.002 | Software Packing | Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.32 |
| enterprise | T1003 | OS Credential Dumping | Trojan.Karagany can dump passwords and save them into \ProgramData\Mail\MailAg\pwds.txt.3 |
| enterprise | T1057 | Process Discovery | Trojan.Karagany can use Tasklist to collect a list of running tasks.32 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.003 | Thread Execution Hijacking | Trojan.Karagany can inject a suspended thread of its own process into a new process and initiate via the ResumeThread API.2 |
| enterprise | T1113 | Screen Capture | Trojan.Karagany can take a desktop screenshot and save the file into \ProgramData\Mail\MailAg\shot.png.32 |
| enterprise | T1082 | System Information Discovery | Trojan.Karagany can capture information regarding the victim’s OS, security, and hardware configuration.2 |
| enterprise | T1016 | System Network Configuration Discovery | Trojan.Karagany can gather information on the network configuration of a compromised host.2 |
| enterprise | T1049 | System Network Connections Discovery | Trojan.Karagany can use netstat to collect a list of network connections.2 |
| enterprise | T1033 | System Owner/User Discovery | Trojan.Karagany can gather information about the user on a compromised host.2 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | Trojan.Karagany can detect commonly used and generic virtualization platforms based primarily on drivers and file paths.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0035 | Dragonfly | 324 |
References
-
Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. ↩↩↩↩↩↩↩↩↩
-
Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021. ↩