SUGARDUMP is a proprietary browser credential harvesting tool that was used by UNC3890 during the C0010 campaign. The first known SUGARDUMP version was used since at least early 2021, a second SMTP C2 version was used from late 2021-early 2022, and a third HTTP C2 variant was used since at least April 2022.[1]

ID: S1042
Platforms: Windows
Version: 1.0
Created: 21 September 2022
Last Modified: 04 October 2022

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

A SUGARDUMP variant has used HTTP for C2.[1]

.003 Application Layer Protocol: Mail Protocols

A SUGARDUMP variant used SMTP for C2.[1]

Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

SUGARDUMP has encrypted collected data using AES CBC mode and encoded it using Base64.[1]

Enterprise T1217 Browser Information Discovery

SUGARDUMP has collected browser bookmark and history information.[1]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

SUGARDUMP variants have harvested credentials from browsers such as Firefox, Chrome, Opera, and Edge.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

SUGARDUMP has stored collected data under %<malware_execution_folder>%\\CrashLog.txt.[1]

Enterprise T1041 Exfiltration Over C2 Channel

SUGARDUMP has sent stolen credentials and other data to its C2 server.[1]

Enterprise T1083 File and Directory Discovery

SUGARDUMP can search for and collect data from specific Chrome, Opera, Microsoft Edge, and Firefox files, including any folders that have the string Profile in its name.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

SUGARDUMP's scheduled task has been named MicrosoftInternetExplorerCrashRepoeterTaskMachineUA or MicrosoftEdgeCrashRepoeterTaskMachineUA, depending on the Windows OS version.[1]

.005 Masquerading: Match Legitimate Name or Location

SUGARDUMP has been named CrashReporter.exe to appear as a legitimate Mozilla executable.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

SUGARDUMP has created scheduled tasks called MicrosoftInternetExplorerCrashRepoeterTaskMachineUA and MicrosoftEdgeCrashRepoeterTaskMachineUA, which were configured to execute CrashReporter.exe during user logon.[1]

Enterprise T1518 Software Discovery

SUGARDUMP can identify Chrome, Opera, Edge Chromium, and Firefox browsers, including version number, on a compromised host.[1]

Enterprise T1204 .002 User Execution: Malicious File

Some SUGARDUMP variants required a user to enable a macro within a malicious .xls file for execution.[1]


ID Name Description
C0010 C0010