Karagany is a modular remote access trojan (RAT) observed since at least 2010 and modeled after the “Dream Loader“ trojan. The trojan is known for its use by the advanced persistent threat (APT) group known as Energetic Bear, DragonFly, or IRON LIBERTY. Its activity dropped off in 2014 but reemerged in late 2016 and has been under active development since. Karagany is used by Energetic Bear to target energy sector entities in the US and Europe to maintain persistence on a network, upload/download files, and download and execute additional plugin modules, including:
Listrix — file enumeration and directory listing
IKLG — keylogger
ScreenUtil — screen capture utility
MCMD — interactive command shell module
SysInfo — system information enumeration
Browser Data Viewer — browser data and credential theft
LogKatz — custom Mimikatz script for credential theft
Karagany is delivered to targets via network access using stolen privileged credentials. Energetic Bear deploys the trojan to specific targets based on their role and access.
Reporting and Technical Details
SecureWorks provides extensive technical details and indicators of compromise (IOCs) of the Karagany trojan in their threat analysis.