"'Operation Sugarush' Mounts Concerning Spy Effort on Shipping, Healthcare Industries"
A Persian-speaking threat group has been targeting healthcare, energy, and other industries, with an emphasis on the shipping industry. According to a Mandiant report, which identifies the group as UNC3890, the campaign conceals its activity by using email-borne social engineering lures and a watering hole hosted on the login page of a legitimate Israeli shipping company. While it primarily targets Israeli victims, it also targets multinational corporations, implying that the threat could have a global impact. Credential theft could allow a threat actor to gain initial access to a targeted organization for espionage purposes. For example, the credentials could enable the actor to connect to a victim's Office 365 mailbox and steal all of the victim's email correspondence, giving the actor valuable information about the victim and their organization's activity. The command-and-control (C2) servers were observed communicating with multiple targets, as well as a watering hole that is believed to be targeting the Israeli shipping sector, specifically entities that handle and ship sensitive components. The group, which runs an interconnected network of C2 servers, spoofs legitimate services such as Office 365 and social networks like LinkedIn and Facebook. Its phishing lures include fake job offers and commercials for Artificial Intelligence (AI)-powered robotic dolls. Once a victim has been compromised, the group distributes two proprietary pieces of malware called Sugarush and Sugardump. Sugarush is a backdoor that establishes a reverse shell over TCP to a hardcoded C2 address. Meanwhile, Sugardump is used to harvest credentials from Chrome, Opera, and Edge Chromium browsers, as well as exfiltrate stolen data through Gmail, Yahoo, and Yandex email services. UNC3890 also employs Unicorn for PowerShell-type attacks, the Metasploit framework, and NorthStar C2, a publicly available open-source C2 framework designed for penetration testing and red teaming. This article continues to discuss the tools, targets, and tactics of UNC3890.