CB TAU Threat Intelligence Notification – Karagany Malware

2019-08-12T13:09:37
ID CARBONBLACK:787D2196903CAB248C8CFFEE455DC9A2
Type carbonblack
Reporter Ryan Murphy
Modified 2019-08-12T13:09:37

Description

Secureworks recently reported in regards to an update of Karagany malware last month. The malware is used by the IRON LIBERTY threat group (also known as DragonFly2.0 and Energetic Bear), targeting energy companies and organizations. Carbon Black Threat Analysis Unit (TAU) provides the product rules to detect and protect from the malware execution.

Behavior Summary

Karagany malware is a modular remote access trojan (RAT) and installed manually (sometimes remotely via PsExec) on the target systems with stolen privileged credentials. The additional plugins like keylogger and command shell may be installed on the core component.

The RAT detects multiple virtualization platforms then aborts the installation process if detected. For example, one of Karagany samples (SHA256: 00a1b9fd9af9c5e366ef19908f028e9cca0462ec16adab9763e8c8b017b0f6bc) contains four anti-VM detection functions: cpuid instruction, vpcext instruction for VirtualPC, WMI queries for VMWare and VirtualBox. The WMI query strings are obfuscated and the de-obfuscation result is below:

[+] 0x1098776: 'SELECT SerialNumber FROM Win32_Bios'

[+] 0x1098816: 'SerialNumber'

[+] 0x1098885: 'VMware'

[+] 0x1098af6: 'SELECT DeviceId FROM Win32_PnP'

[+] 0x1098b90: 'DeviceId'

[+] 0x1098bf3: 'PCI\\VEN_80E'


The same WMI queries were also used by Hacking Team.

When allowed to run, CB Threat Hunter will show the natural progression of this malware execution.cbth_process_tree.png

Other than that, CB Defense will display the malware’s overall triggered TTPs.cbd_recent_ttps.png__

cbd_alert_origin.png__

The C2 protocol and plugin capabilities of the RAT are well-described in the SecureWorks blog post.

If you are a Carbon Black customer looking to learn how CB solutions help defend against this attack, click here.

MITRE ATT&CK TIDs

TID

|

Tactic

|

Description

---|---|---

T1497

|

Defense Evasion, Discovery

|

Virtualization/Sandbox Evasion

T1045

|

Defense Evasion

|

Software Packing

T1012

|

Discovery

|

Query Registry

T1082

|

Discovery

|

System Information Discovery

T1071

|

Command And Control

|

Standard Application Layer Protocol

T1032

|

Command And Control

|

Standard Cryptographic Protocol

T1083

|

Discovery

|

File and Directory Discovery

T1056

|

Collection, Credential Access

|

Input Capture

T1113

|

Collection

|

Screen Capture

T1059

|

Execution

|

Command-Line Interface

T1082

|

Discovery

|

System Information Discovery

T1003

|

Credential Access

|

Credential Dumping

Indicators of Compromise (IOCs)

Indicator

|

Type

|

Context

---|---|---

00a1b9fd9af9c5e366ef19908f028e9cca0462ec16adab9763e8c8b017b0f6bc

418e58b78731546089eb1b7fa6e1d99f

|

SHA256

MD5

|

Karagany core malware

7b2c9bb78867319e8d907c48eb24e51dffc6a81edf5166dc4409ed07227402f3

874295e9512c668a7df493c8975c081b

|

SHA256

MD5

|

Karagany core malware

Adf809c93f6bc1f758e7e3a4aeeb39d00e34e762ac4ff48dce59de5efb0f80fd

8aeacf3fde1b49940fb4d08226dccbc4

|

SHA256

MD5

|

Karagany core malware

E644771565fb2144d018e8ce89fa116fc7e564007f941ce712fa5f929b86e338

990e2e3ab8e2c8126214e667b0dc282f

|

SHA256

MD5

|

Karagany core malware

9a1a196f6f5afa19643856cf8545b3401fc2dae8f79ec08a32456b3e9f8bbdbd

20ec7658254eddd917e1b351e1728534

|

SHA256

MD5

|

Karagany core malware

De0d3aaee6254074222d9bdf35fa67218d9738f05e1dfb75173cf982c03a0811

fff6dc1216fe549fa1d700f1ccfcd754

|

SHA256

MD5

|

Keylogger plugin binary

20d20c9dda1f922786f95132eb64753b38f7db695d29a7b9993b880e44043b59

4ad06a76e1ad423b13e03587a887ede0

|

SHA256

MD5

|

Listrix plugin binary

8aaa1b931610122a1908d9bfe1806881b430b57462a2147d403bb495183bd592

fca1fa07afa1b3ff9f67f2a377de51ae

|

SHA256

MD5

|

Listrix plugin binary

656fe7c362b7421d5e94ab186e0beca01c00b55eecefa25270805fca6ad96d9a

6851cbfa790eb56b68942ee86a045c36

|

SHA256

MD5

|

Listrix plugin binary

5179d5874383b3c6a45350f77e86098ae7be606df490afbd57d98bed8e3bc2cd

6cd47d4c2fd8997683baa1f278d2dd94

|

SHA256

MD5

|

MCMD plugin binary

4877050e41f269bab1013649f747f1bd2a1f53e07825c21778f4b1a9a882c7bb

2dbdeef42699730635abdc657775e4af

|

SHA256

MD5

|

MCMD plugin binary

7aa8cd8a2669537631b8ac7b892f51d4c74056c1369007c474277ebdf82fb74e

336b6f0108a23b95f3141afc787a31dd

|

SHA256

MD5

|

MCMD plugin binary

172be9ebd26946bdfe19150e304c8abd59d43a7bf92afa270f028c9a4a29fd99

8b8b33a14f7be027fdb1aec1555fa8a8

|

SHA256

MD5

|

MCMD plugin binary

1fd5b0b1a218b65443d7088e47dd79018bf46935375b061f5f78fbe1cadb50dc

6449cff2a0497cae0c3fb780da287e2c

|

SHA256

MD5

|

ScreenUtil plugin binary

C605a771730cc618f2f85a8bee9d9cbdabc6f5f47d803976b4923f64f9aea282

fd6145bbc722ef52eed6b94dd520170c

|

SHA256

MD5

|

ScreenUtil plugin binary

9d994710941540fe6bdf43196679b6a667f6370f1aa9b538836a509f4e4c42c4

ade68f4e5b03c6cf86b851613dbc3629

|

SHA256

MD5

|

LogKatz plugin binary

A35ace92645e8a62536031784f60679200252a2a4ec1dc287f93797be34dfed2

195ec5fb2d5ccd344b655a955f20db81

|

SHA256

MD5

|

SysInfo plugin binary

47a3f4fbe7984e3ae3d2088e2898bea371a0aeaee8fca6a6b6d59d6e938393fa

2618ab729dea68dfbcb11dce2e66c8c2

|

SHA256

MD5

|

Browser Data Viewer plugin binary

The post CB TAU Threat Intelligence Notification - Karagany Malware appeared first on Carbon Black.