SUGARDUMP is a proprietary browser credential harvesting tool that was used by UNC3890 during the C0010 campaign. The first known SUGARDUMP version was used since at least early 2021, a second SMTP C2 version was used from late 2021-early 2022, and a third HTTP C2 variant was used since at least April 2022.
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
|.003||Application Layer Protocol: Mail Protocols|
|Enterprise||T1560||.003||Archive Collected Data: Archive via Custom Method||
SUGARDUMP has encrypted collected data using AES CBC mode and encoded it using Base64.
|Enterprise||T1217||Browser Bookmark Discovery||
SUGARDUMP has collected browser bookmark and history information.
|Enterprise||T1555||.003||Credentials from Password Stores: Credentials from Web Browsers||
SUGARDUMP variants have harvested credentials from browsers such as Firefox, Chrome, Opera, and Edge.
|Enterprise||T1074||.001||Data Staged: Local Data Staging||
SUGARDUMP has stored collected data under
|Enterprise||T1041||Exfiltration Over C2 Channel||
SUGARDUMP has sent stolen credentials and other data to its C2 server.
|Enterprise||T1083||File and Directory Discovery||
SUGARDUMP can search for and collect data from specific Chrome, Opera, Microsoft Edge, and Firefox files, including any folders that have the string
|Enterprise||T1036||.004||Masquerading: Masquerade Task or Service||
SUGARDUMP's scheduled task has been named
|.005||Masquerading: Match Legitimate Name or Location||
SUGARDUMP has been named
|Enterprise||T1053||.005||Scheduled Task/Job: Scheduled Task||
SUGARDUMP has created scheduled tasks called
SUGARDUMP can identify Chrome, Opera, Edge Chromium, and Firefox browsers, including version number, on a compromised host.
|Enterprise||T1204||.002||User Execution: Malicious File||
Some SUGARDUMP variants required a user to enable a macro within a malicious .xls file for execution.