SYMBOL | COMMON_NAME | aka. SYNONYMS |
A suspected Iranian threat activity cluster has been linked to attacks aimed at Israeli shipping, government, energy, and healthcare organizations, in a campaign stretching back to late 2020. Researchers believe that the data harvested during the campaign could be used to support various activities. UNC3890, the threat actor behind the attacks, deployed two proprietary pieces of malware – a backdoor named “SUGARUSH” and a browser credential stealer called “SUGARDUMP”, which exfiltrates password information to email addresses registered with Gmail, ProtonMail, Yahoo and Yandex email services. The threat actor also employs a network of C&C servers that host fake login pages impersonating legitimate platforms such as Office 365, LinkedIn and Facebook. These servers are designed to communicate with the targets and also with a watering hole hosted on the login page of a legitimate Israeli shipping company.
There are currently no families associated with this actor.
2023-03-24
⋅
Kaspersky Labs
⋅
APT attacks on industrial organizations in H2 2022 Earth Longzhi Storm-0530 UNC3890 |
2022-08-17
⋅
Mandiant
⋅
Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors NorthStar SUGARDUMP SUGARRUSH UNC3890 |