Karagany is a modular remote access trojan (RAT) observed since at least 2010 and modeled after the “Dream Loader“ trojan. The trojan is known for its use by the advanced persistent threat (APT) group known as Energetic Bear, DragonFly, or IRON LIBERTY. Its activity dropped off in 2014 but reemerged in late 2016 and has been under active development since. Karagany is used by Energetic Bear to target energy sector entities in the US and Europe to maintain persistence on a network, upload/download files, and download and execute additional plugin modules, including:

  • Listrix — file enumeration and directory listing

  • IKLG — keylogger

  • ScreenUtil — screen capture utility

  • MCMD — interactive command shell module

  • SysInfo — system information enumeration

  • Browser Data Viewer — browser data and credential theft

  • LogKatz — custom Mimikatz script for credential theft

Karagany is delivered to targets via network access using stolen privileged credentials. Energetic Bear deploys the trojan to specific targets based on their role and access.

Reporting and Technical Details

  • SecureWorks provides extensive technical details and indicators of compromise (IOCs) of the Karagany trojan in their threat analysis.