SUGARDUMP

Sugardump is a sophisticated malware, first detected in 2022, that has primarily targeted Israel-based transportation sector organizations. As a credential harvesting utility, it specializes in password collection from Chromium-based browsers such as Chrome, Opera, and Edge. The malware infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Upon gaining initial access, it utilizes a broad toolset to gain full control over the victim's environment. Various versions of Sugardump have been identified, with each iteration becoming more advanced, demonstrating its developers' adaptability and persistent threat. The most recent versions of Sugardump exfiltrate stolen credentials through different means. The HTTP-based version sends the stolen data to a dedicated server over HTTP, while the SMTP-based version uses Gmail, Yahoo, and Yandex email addresses for exfiltration. Notably, the collected data is encoded using base64 and stored under "CrashLog.txt", which is then sent via email from specific addresses. The subject of these emails is typically "VLC Player", effectively disguising the malicious activity. The use of the word “KHODA” in Sugardump’s encryption key suggests that the developers may be Farsi speakers. In addition to extracting login credentials, newer versions of Sugardump also extract browser-related information like version details, browsing history, bookmarks, and cookies. This comprehensive extraction amplifies the potential damage and risk posed by this malware. Given its continuous evolution and the severity of its impact, organizations are advised to remain vigilant and implement robust cybersecurity measures to counteract this threat.