Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Software
  3. SUGARDUMP

SUGARDUMP

SUGARDUMP is a proprietary browser credential harvesting tool that was used by UNC3890 during theC0010 campaign. The first knownSUGARDUMP version was used since at least early 2021, a second SMTP C2 version was used from late 2021-early 2022, and a third HTTP C2 variant was used since at least April 2022.[1]

ID: S1042
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 21 September 2022
Last Modified: 16 April 2025
Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1071.001Application Layer Protocol:Web Protocols

ASUGARDUMP variant has used HTTP for C2.[1]

.003Application Layer Protocol:Mail Protocols

ASUGARDUMP variant used SMTP for C2.[1]

EnterpriseT1560.003Archive Collected Data:Archive via Custom Method

SUGARDUMP has encrypted collected data using AES CBC mode and encoded it using Base64.[1]

EnterpriseT1217Browser Information Discovery

SUGARDUMP has collected browser bookmark and history information.[1]

EnterpriseT1555.003Credentials from Password Stores:Credentials from Web Browsers

SUGARDUMP variants have harvested credentials from browsers such as Firefox, Chrome, Opera, and Edge.[1]

EnterpriseT1074.001Data Staged:Local Data Staging

SUGARDUMP has stored collected data under%<malware_execution_folder>%\\CrashLog.txt.[1]

EnterpriseT1041Exfiltration Over C2 Channel

SUGARDUMP has sent stolen credentials and other data to its C2 server.[1]

EnterpriseT1083File and Directory Discovery

SUGARDUMP can search for and collect data from specific Chrome, Opera, Microsoft Edge, and Firefox files, including any folders that have the stringProfile in its name.[1]

EnterpriseT1036.004Masquerading:Masquerade Task or Service

SUGARDUMP's scheduled task has been namedMicrosoftInternetExplorerCrashRepoeterTaskMachineUA orMicrosoftEdgeCrashRepoeterTaskMachineUA, depending on the Windows OS version.[1]

.005Masquerading:Match Legitimate Resource Name or Location

SUGARDUMP has been namedCrashReporter.exe to appear as a legitimate Mozilla executable.[1]

EnterpriseT1053.005Scheduled Task/Job:Scheduled Task

SUGARDUMP has created scheduled tasks calledMicrosoftInternetExplorerCrashRepoeterTaskMachineUA andMicrosoftEdgeCrashRepoeterTaskMachineUA, which were configured to executeCrashReporter.exe during user logon.[1]

EnterpriseT1518Software Discovery

SUGARDUMP can identify Chrome, Opera, Edge Chromium, and Firefox browsers, including version number, on a compromised host.[1]

EnterpriseT1204.002User Execution:Malicious File

SomeSUGARDUMP variants required a user to enable a macro within a malicious .xls file for execution.[1]

Campaigns

IDNameDescription
C0010C0010

[1]

References

×
[8]ページ先頭
©2009-2026 Movatter.jp