SUGARDUMP

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Sugardump is a sophisticated malware, first detected in 2022, that has primarily targeted Israel-based transportation sector organizations. As a credential harvesting utility, it specializes in password collection from Chromium-based browsers such as Chrome, Opera, and Edge. The malware infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Upon gaining initial access, it utilizes a broad toolset to gain full control over the victim's environment. Various versions of Sugardump have been identified, with each iteration becoming more advanced, demonstrating its developers' adaptability and persistent threat. The most recent versions of Sugardump exfiltrate stolen credentials through different means. The HTTP-based version sends the stolen data to a dedicated server over HTTP, while the SMTP-based version uses Gmail, Yahoo, and Yandex email addresses for exfiltration. Notably, the collected data is encoded using base64 and stored under "CrashLog.txt", which is then sent via email from specific addresses. The subject of these emails is typically "VLC Player", effectively disguising the malicious activity. The use of the word “KHODA” in Sugardump’s encryption key suggests that the developers may be Farsi speakers. In addition to extracting login credentials, newer versions of Sugardump also extract browser-related information like version details, browsing history, bookmarks, and cookies. This comprehensive extraction amplifies the potential damage and risk posed by this malware. Given its continuous evolution and the severity of its impact, organizations are advised to remain vigilant and implement robust cybersecurity measures to counteract this threat.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Exploit
Dropper
Outlook
Windows
bugs
t1587.001
T1199
T1078
t1053.005
t1204.002
t1543.003
T1219
Facebook
t1588.002
t1566.002
t1569.002
T1204
T1555
t1555.003
T1071
T1572
T1041
Mitre
Encryption
Payload
Firefox
Chromium
T1566
T1059
t1059.003
T1543
T1056
t1056.001
t1056.003
T1105
t1071.001
Phishing
T1588
T1587
T1053
t1059.001
T1569
T1102
t1102.002
T1567
exploitation
Backdoor
Chrome
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SUGARUSHUnspecified
1
Sugarush is a malware that serves as a backdoor for cyber attackers. It is designed to establish a connection with an embedded C2 and execute CMD commands. Once the internet connection is successful, Sugarush will establish a new TCP connection to the C2 address via port 4585 and then check for inte
Unc2448Unspecified
1
UNC2448 is a malware strain affiliated with Iran, designed to infiltrate and exploit computer systems. It can infect computers through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can disrupt operations, steal personal information, or hold d
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Sugarush Md5Unspecified
1
None
Source Document References
Information about the SUGARDUMP Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
8 months ago
IMPERIAL KITTEN Deploys Novel Malware Families
CrowdStrike
8 months ago
IMPERIAL KITTEN Deploys Novel Malware Families
MITRE
a year ago
Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors