S1042 SUGARDUMP
SUGARDUMP is a proprietary browser credential harvesting tool that was used by UNC3890 during the C0010 campaign. The first known SUGARDUMP version was used since at least early 2021, a second SMTP C2 version was used from late 2021-early 2022, and a third HTTP C2 variant was used since at least April 2022.
| Item |
Value |
| ID |
S1042 |
| Associated Names |
|
| Type |
MALWARE |
| Version |
1.0 |
| Created |
21 September 2022 |
| Last Modified |
04 October 2022 |
| Navigation Layer |
View In ATT&CK® Navigator |
Techniques Used
| Domain |
ID |
Name |
Use |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
A SUGARDUMP variant has used HTTP for C2. |
| enterprise |
T1071.003 |
Mail Protocols |
A SUGARDUMP variant used SMTP for C2. |
| enterprise |
T1560 |
Archive Collected Data |
- |
| enterprise |
T1560.003 |
Archive via Custom Method |
SUGARDUMP has encrypted collected data using AES CBC mode and encoded it using Base64. |
| enterprise |
T1217 |
Browser Information Discovery |
SUGARDUMP has collected browser bookmark and history information. |
| enterprise |
T1555 |
Credentials from Password Stores |
- |
| enterprise |
T1555.003 |
Credentials from Web Browsers |
SUGARDUMP variants have harvested credentials from browsers such as Firefox, Chrome, Opera, and Edge. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
SUGARDUMP has stored collected data under %<malware_execution_folder>%\\CrashLog.txt. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
SUGARDUMP has sent stolen credentials and other data to its C2 server. |
| enterprise |
T1083 |
File and Directory Discovery |
SUGARDUMP can search for and collect data from specific Chrome, Opera, Microsoft Edge, and Firefox files, including any folders that have the string Profile in its name. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.004 |
Masquerade Task or Service |
SUGARDUMP‘s scheduled task has been named MicrosoftInternetExplorerCrashRepoeterTaskMachineUA or MicrosoftEdgeCrashRepoeterTaskMachineUA, depending on the Windows OS version. |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
SUGARDUMP has been named CrashReporter.exe to appear as a legitimate Mozilla executable. |
| enterprise |
T1053 |
Scheduled Task/Job |
- |
| enterprise |
T1053.005 |
Scheduled Task |
SUGARDUMP has created scheduled tasks called MicrosoftInternetExplorerCrashRepoeterTaskMachineUA and MicrosoftEdgeCrashRepoeterTaskMachineUA, which were configured to execute CrashReporter.exe during user logon. |
| enterprise |
T1518 |
Software Discovery |
SUGARDUMP can identify Chrome, Opera, Edge Chromium, and Firefox browsers, including version number, on a compromised host. |
| enterprise |
T1204 |
User Execution |
- |
| enterprise |
T1204.002 |
Malicious File |
Some SUGARDUMP variants required a user to enable a macro within a malicious .xls file for execution. |
References