Trojan.Karagany

Trojan.Karagany is a modular remote access tool used for recon and linked to Dragonfly and Dragonfly 2.0. The source code for Trojan.Karagany originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. [1][2][3]

ID: S0094
Associated Software: xFrost, Karagany
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 31 May 2017
Last Modified: 14 October 2020

Associated Software Descriptions

Name Description
xFrost

[2]

Karagany

[2]

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Trojan.Karagany can communicate with C2 via HTTP POST requests.[2]

Enterprise T1010 Application Window Discovery

Trojan.Karagany can monitor the titles of open windows to identify specific keywords.[2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Trojan.Karagany can create a link to itself in the Startup folder to automatically start itself upon system restart.[1][2]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Trojan.Karagany can perform reconnaissance commands on a victim machine via a cmd.exe process.[2]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Trojan.Karagany can steal data and credentials from browsers.[2]

Enterprise T1074 .001 Data Staged: Local Data Staging

Trojan.Karagany can create directories to store plugin output and stage data for exfiltration.[1][2]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Trojan.Karagany can secure C2 communications with SSL and TLS.[2]

Enterprise T1083 File and Directory Discovery

Trojan.Karagany can enumerate files and directories on a compromised host.[2]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Trojan.Karagany has used plugins with a self-delete capability.[2]

Enterprise T1105 Ingress Tool Transfer

Trojan.Karagany can upload, download, and execute files on the victim.[1][2]

Enterprise T1056 .001 Input Capture: Keylogging

Trojan.Karagany can capture keystrokes on a compromised host.[2]

Enterprise T1027 Obfuscated Files or Information

Trojan.Karagany can base64 encode and AES-128-CBC encrypt data prior to transmission.[2]

.002 Software Packing

Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.[1][2]

Enterprise T1003 OS Credential Dumping

Trojan.Karagany can dump passwords and save them into \ProgramData\Mail\MailAg\pwds.txt.[1]

Enterprise T1057 Process Discovery

Trojan.Karagany can use Tasklist to collect a list of running tasks.[1][2]

Enterprise T1055 .003 Process Injection: Thread Execution Hijacking

Trojan.Karagany can inject a suspended thread of its own process into a new process and initiate via the ResumeThread API.[2]

Enterprise T1113 Screen Capture

Trojan.Karagany can take a desktop screenshot and save the file into \ProgramData\Mail\MailAg\shot.png.[1][2]

Enterprise T1082 System Information Discovery

Trojan.Karagany can capture information regarding the victim's OS, security, and hardware configuration.[2]

Enterprise T1016 System Network Configuration Discovery

Trojan.Karagany can gather information on the network configuration of a compromised host.[2]

Enterprise T1049 System Network Connections Discovery

Trojan.Karagany can use netstat to collect a list of network connections.[2]

Enterprise T1033 System Owner/User Discovery

Trojan.Karagany can gather information about the user on a compromised host.[2]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Trojan.Karagany can detect commonly used and generic virtualization platforms based primarily on drivers and file paths.[2]

Groups That Use This Software

ID Name References
G0035 Dragonfly

[1][2]

G0074 Dragonfly 2.0

[4][2]

References