1. Home
  2. Software
  3. SUGARDUMP

SUGARDUMP

SUGARDUMP is a proprietary browser credential harvesting tool that was used by UNC3890 during the C0010 campaign. The first known SUGARDUMP version was used since at least early 2021, a second SMTP C2 version was used from late 2021-early 2022, and a third HTTP C2 variant was used since at least April 2022.[1]

ID: S1042
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 21 September 2022
Last Modified: 04 October 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

SUGARDUMP variants have harvested credentials from browsers such as Firefox, Chrome, Opera, and Edge.[1]
Enterprise T1036 .004 伪装: Masquerade Task or Service

SUGARDUMP's scheduled task has been named MicrosoftInternetExplorerCrashRepoeterTaskMachineUA or MicrosoftEdgeCrashRepoeterTaskMachineUA, depending on the Windows OS version.[1]

.005 伪装: Match Legitimate Name or Location

SUGARDUMP has been named CrashReporter.exe to appear as a legitimate Mozilla executable.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

A SUGARDUMP variant has used HTTP for C2.[1]
.003 应用层协议: Mail Protocols

A SUGARDUMP variant used SMTP for C2.[1]
Enterprise T1560 .003 归档收集数据: Archive via Custom Method

SUGARDUMP has encrypted collected data using AES CBC mode and encoded it using Base64.[1]
Enterprise T1074 .001 数据分段: Local Data Staging

SUGARDUMP has stored collected data under %<malware_execution_folder>%\\CrashLog.txt.[1]
Enterprise T1083 文件和目录发现

SUGARDUMP can search for and collect data from specific Chrome, Opera, Microsoft Edge, and Firefox files, including any folders that have the string Profile in its name.[1]
Enterprise T1217 浏览器信息发现

SUGARDUMP has collected browser bookmark and history information.[1]
Enterprise T1204 .002 用户执行: Malicious File

Some SUGARDUMP variants required a user to enable a macro within a malicious .xls file for execution.[1]
Enterprise T1518 软件发现

SUGARDUMP can identify Chrome, Opera, Edge Chromium, and Firefox browsers, including version number, on a compromised host.[1]
Enterprise T1041 通过C2信道渗出

SUGARDUMP has sent stolen credentials and other data to its C2 server.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

SUGARDUMP has created scheduled tasks called MicrosoftInternetExplorerCrashRepoeterTaskMachineUA and MicrosoftEdgeCrashRepoeterTaskMachineUA, which were configured to execute CrashReporter.exe during user logon.[1]

Campaigns

ID Name Description
C0010 C0010

[1]

References

  1. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.