Between bouts of ‘sugar rush’ and ‘sugar dump’ TTPs, the threat group has been focused on attacking global and Israeli entities

A threat group named UNC3890 has been targeting Israeli shipping, government, energy and healthcare organizations via social engineering lures and a potential ‘watering hole’. The espionage and intelligence collection activity point to state-sponsored agenda linked to Iran, especially given the ongoing naval conflict between the two countries.

Researchers from Mandiant have found that UNC3890 are attempting to deliver two pieces of malware: a backdoor dubbed SUGARUSH and a browser credential stealer SUGARDUMP that exfiltrates stolen data via Gmail, Yahoo and Yandex email services.

The data collected by the malware are suspected to be leveraged to support various activities, from “hack-and-leak, to enabling kinetic warfare attacks like those that have plagued the shipping industry in recent years,” according to the firm. Other leads and clues about the group include:

    • Tactics, techniques and procedures (TTPs) that have not previously seen deployed by Iranian threat groups, but involving the usage of Farsi words such as “KHODA” (the Farsi word for God) and “yaal” (the Farsi word for a horse’s mane)
    • The use of “an inter-connected network of Command-and-Control servers that host domains and fake login pages that spoof legitimate services such as Office 365, social networks such as LinkedIn and Facebook, as well as web pages offering fake jobs and commercials for AI-based robotic dolls
    • One UNC3890 server that hosted several ZIP files containing scraped contents of Facebook and Instagram accounts of legitimate individuals targeted by the threat group or possibly used “as lures in a social engineering effort”
    • The group has been active since at least late 2020, and is still ongoing as of mid-2022, and has a strong focus on shipping amid the ongoing naval conflict between the two countries. However, while the campaign is focused on Israel (based on the current data available), targeted entities have included global companies

According to the firm’s Vice President of Threat Intelligence John Hultquist: “The shipping industry and the global supply chain are particularly vulnerable to disruption, especially in places where a state of low-level conflict already exists. This is a reminder that global companies (especially those that operate in that region) face global threats.”

A screenshot taken from the social engineering video played when the SUGARDUMP malware executes