Security researchers have been tracking UNC3890, a cluster of activity targeting Israeli shipping, government, energy and healthcare organizations via social engineering lures and a potential watering hole. UNC3890 uses at least two unique tools: a backdoor named SUGARUSH, and a browser credential stealer, which exfiltrates stolen data via Gmail, Yahoo and Yandex email services, named SUGARDUMP.
INDUSTRIES: Aviation, Healthcare, Energy, Government, Shipping
TARGETED COUNTRY: Israel
MALWARE FAMILIES: SUGARUSH, SUGARDUMP
ATT&CK IDS: T1189 - Drive-by Compromise, T1036 - Masquerading, T1055 - Process Injection, T1041 - Exfiltration Over C2 Channel, T1053 - Scheduled Task/Job, T1056 - Input Capture, T1059 - Command and Scripting Interpreter, T1071 - Application Layer Protocol, T1078 - Valid Accounts, T1102 - Web Service, T1105 - Ingress Tool Transfer, T1199 - Trusted Relationship, T1204 - User Execution, T1219 - Remote Access Software, T1543 - Create or Modify System Process, T1555 - Credentials from Password Stores, T1566 - Phishing, T1567 - Exfiltration Over Web Service, T1569 - System Services, T1572 - Protocol Tunneling, T1587 - Develop Capabilities, T1588 - Obtain Capabilities
Read More:
Comments