1. Home
  2. Software
  3. SUGARUSH

SUGARUSH

SUGARUSH is a small custom backdoor that can establish a reverse shell over TCP to a hard coded C2 address. SUGARUSH was first identified during analysis of UNC3890's C0010 campaign targeting Israeli companies, which began in late 2020.[1]

ID: S1049
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 04 October 2022
Last Modified: 04 October 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1543 .003 创建或修改系统进程: Windows Service

SUGARUSH has created a service named Service1 for persistence.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

SUGARUSH has used cmd for execution on an infected host.[1]
Enterprise T1016 .001 系统网络配置发现: Internet Connection Discovery

SUGARUSH has checked for internet connectivity from an infected host before attempting to establish a new TCP connection.[1]
Enterprise T1095 非应用层协议

SUGARUSH has used TCP for C2.[1]
Enterprise T1571 非标准端口

SUGARUSH has used port 4585 for a TCP connection to its C2.[1]

Campaigns

ID Name Description
C0010 C0010

[1]

References

  1. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.