Search This Blog

Iranian Hackers Allegedly Exploiting Israeli Entities

Additionally, the researchers discovered a UNC3890 server that included Facebook and Instagram account data that had been spoofed.

Mandiant has been analyzing UNC3890, a group of hackers that uses social engineering lures and a possible watering hole to target Israeli maritime, government, energy, and healthcare institutions, for the past year.

With a major emphasis on shipping and the current marine war between Iran and Israel, Mandiant estimates with a low degree of confidence that this actor is connected to Iran. Although experts believe this actor is primarily interested in gathering intelligence, the data is used to assist a range of actions, from hack-and-leak to enabling kinetic warfare strikes like those that have recently hit the marine sector. 

According to John Hultquist, vice president of threat intelligence at Mandiant, "the maritime industry or the global supply chain is highly vulnerable to disruption, especially in countries where a state of the low-level conflict already exists."

Luring method 

Watering holes and data theft have been the primary entry points for UNC3890. The latter collected passwords and sent phishing lures using the group's C2 servers, which it posed as reputable services. 

The servers display false job offers and bogus advertising, and fake login pages for services like Office 365 and social media sites like LinkedIn and Facebook.

Additionally, the researchers discovered a UNC3890 server that included Facebook and Instagram account data that had been spoofed and might have been utilized in social engineering attempts.

A.xls file posed as a job offer but intended to install Sugardump—one of two distinct tools being utilized by the hackers —was probably one potential phishing lure employed by the attackers. 

A credential harvesting program called Sugardump can get passwords out of Chromium-based browsers. The second device is called Sugarush, a backdoor that may be used to connect to an implanted C2 and run CMD instructions. 

A reverse shell is established over TCP using Sugarush, as per experts, they call it "a modest but efficient backdoor." It scans for internet access. If connectivity is possible, Sugarush creates a fresh TCP connection via port 4585 to a built-in C&C address and waits for a response. The response is treated as a CMD command that should be executed.

Other tools utilized by UNC3890 include Metasploit, Northstar C2, and Unicorn (a tool for running a PowerShell downgrade attack and injecting shellcode into memory.)

Sugardump was discovered in several forms. The earliest includes two variations and dates until early 2021. This initial version merely keeps login details without exposing them. It might be partial malware or software made to work with other tools to exfiltrate data.

The second variant, which was created in late 2021 or early 2022, uses SMTP for C2 communication and Yahoo, Yandex, and Gmail accounts for exfiltration. The researchers make a connection between a specific phishing appeal and a social engineering movie that has an advertisement for an AI-powered robotic doll.

Share it:

Cyber Security

Iranian hackers

Mandiant Threat Intelligence