Trojan.Karagany
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| xFrost | (Citation: Secureworks Karagany July 2019) |
| Karagany | (Citation: Secureworks Karagany July 2019) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Trojan.Karagany can communicate with C2 via HTTP POST requests.(Citation: Secureworks Karagany July 2019) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Trojan.Karagany can create a link to itself in the Startup folder to automatically start itself upon system restart.(Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Trojan.Karagany can perform reconnaissance commands on a victim machine via a cmd.exe process.(Citation: Secureworks Karagany July 2019) |
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Trojan.Karagany can steal data and credentials from browsers.(Citation: Secureworks Karagany July 2019) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Trojan.Karagany can create directories to store plugin output and stage data for exfiltration.(Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019) |
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
Trojan.Karagany can secure C2 communications with SSL and TLS.(Citation: Secureworks Karagany July 2019) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Trojan.Karagany has used plugins with a self-delete capability.(Citation: Secureworks Karagany July 2019) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Trojan.Karagany can capture keystrokes on a compromised host.(Citation: Secureworks Karagany July 2019) |
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.(Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019) |
| Enterprise | T1055 | .003 | Process Injection: Thread Execution Hijacking |
Trojan.Karagany can inject a suspended thread of its own process into a new process and initiate via the |
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Trojan.Karagany can detect commonly used and generic virtualization platforms based primarily on drivers and file paths.(Citation: Secureworks Karagany July 2019) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0074 | Dragonfly 2.0 |
(Citation: Symantec Dragonfly Sept 2017) (Citation: Secureworks Karagany July 2019) |
| G0035 | Dragonfly |
(Citation: Symantec Dragonfly) (Citation: Secureworks Karagany July 2019) (Citation: Gigamon Berserk Bear October 2021) |
References
- Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.
- Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
- Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.
- Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.