Background
Over the last year Mandiant has been tracking UNC3890, a cluster of activity targeting Israeli shipping, government, energy and healthcare organizations via social engineering lures and a potential watering hole. Mandiant assesses with moderate confidence this actor is linked to Iran, which is notable given the strong focus on shipping and the ongoing naval conflict between Iran and Israel. While we believe this actor is focused on intelligence collection, the collected data may be leveraged to support various activities, from hack-and-leak, to enabling kinetic warfare attacks like those that have plagued the shipping industry in recent years.
Mandiant assesses with moderate confidence that UNC3890 conducts espionage and intelligence collection activity to support multiple Iranian interests and operations. Targeting patterns indicate a strong interest in Israeli entities and organizations of various sectors, including government, shipping, energy and healthcare. We observed several limited technical connections to Iran, such as PDB strings and Farsi language artifacts.
This campaign has been active since at least late 2020, and is still ongoing as of mid-2022, and though it is regional in nature, targeted entities include global companies.
UNC3890 uses at least two unique tools: a backdoor which we named SUGARUSH, and a browser credential stealer, which exfiltrates stolen data via Gmail, Yahoo and Yandex email services that we’ve named SUGARDUMP. UNC3890 also uses multiple publicly available tools, such as the METASPLOIT framework and NorthStar C2.
In addition, Mandiant discovered UNC3890 operates an inter-connected network of Command-and-Control (C2) servers. The C2 servers host domains and fake login pages spoofing legitimate services such as Office 365, social networks such as LinkedIn and Facebook, as well as fake job offers and fake commercials for AI-based robotic dolls. We observed the C2 servers communicating with multiple targets, as well as with a watering hole that we believe was targeting the Israeli shipping sector, in particular entities that handle and ship sensitive components.
This blog post details the activity of UNC3890, including their proprietary malware, TTPs we have not previously seen deployed by Iran, and the publicly available tools we identified in our investigation. Mandiant continues to track UNC3890 as well as other potentially related clusters of activity by the same threat actor.
Attribution
Mandiant uses the label “UNC” groups – or “uncategorized” groups – to refer to a cluster of intrusion activity that includes observable artifacts, such as adversary infrastructure , tools, and tradecraft that we are not yet ready to give a classification such as TEMP, APT, or FIN (learn more about how Mandiant tracks uncategorized threat actors). Mandiant found no significant connections between UNC3890 and other clusters of activities we currently track, and therefore sees it as a standalone group. However, we identified several connections suggesting the activity is conducted by an Iran-nexus group:
- Usage of Farsi words, as observed in strings left by the developers in the newest version of SUGARDUMP, for example “KHODA” (the Farsi word for “God”) and “yaal” (the Farsi word for a horse’s mane).
- Focused targeting of Israeli entities and organizations, or organizations operating in Israel, consistent with other clusters of activity operated by Iranian threat actors, specifically UNC757.
- Usage of the same PDB path as another Iranian cluster of activity Mandiant tracks as UNC2448 (operated by the Iranian IRGC, according to public sources), publicly referred to in a U.S. government statement from November 17, 2021. Several publications suggested that UNC2448 is linked to APT35/Charming Kitten cluster of activities, which according to several public sources is operated by the Iranian Islamic Revolutionary Guard Corps (IRGC). UNC2448 has been targeting Israeli entities as well, among other countries of interest to Iran.
- Utilization of NorthStar C2 Framework, a C2 framework preferred by other Iranian actors . However, since it is a publicly available framework used by multiple threat actors, we consider this link circumstantial.
Targeting
In late 2021, Mandiant identified UNC3890 targeting Israeli entities and showing interest in various sectors, including government, shipping, energy, aviation and healthcare. Even though the targeting we observed is focused to Israel, some of the entities targeted by UNC3890, especially in the shipping sector, are global companies. Therefore, the potential impact of UNC3890 activity described in this blog may extend beyond Israel. The activity is consistent with historical Iranian interest in these targets. Targeting patterns and lures used by UNC3890 indicate an attempt to disguise their activity as legitimate login activity, legitimate services and social network applications, and technology-related visual content.
Malware Observed
Mandiant observed UNC3890 deploy the following malware families.
| Malware Family | Description |
| SUGARUSH | SUGARUSH is a backdoor written to establish a connection with an embedded C2 and to execute CMD commands. |
| SUGARDUMP | SUGARDUMP is a credential harvesting utility, capable of password collection from Chromium-based browsers. |
| SUGARDUMP SMTP-based | A more advanced version of SUGARDUMP, exfiltrating the stolen credentials via Gmail, Yahoo and Yandex email addresses. Uses a commercial for robotic dolls as a lure. |
| SUGARDUMP HTTP-based | The newest version of SUGARDUMP, exfiltrating the stolen credentials to a dedicated server over HTTP. Uses a fake job offer as a lure. |
| METASPLOIT | METASPLOIT is a penetration testing software, often abused by malicious threat actors. |
| UNICORN | UNICORN is a publicly available tool for conducting a PowerShell downgrade attack and to inject a shellcode into memory. |
| NORTHSTAR C2 | NORTHSTAR C2 is an open-source C2 framework developed for penetration testing and red teaming. |
Outlook and Implications
UNC3890 has been operating since at least late 2020. Their focused targeting poses a threat to Israel-based organizations and entities, particularly those affiliated with the government, shipping, energy, aviation and healthcare sectors. While we are not aware of targeting outside Israel, it is possible such targeting has occurred, or will occur. UNC3890 utilization of legitimate or publicly available tools, in addition to their unique exfiltration method using Gmail, Yahoo and Yandex email addresses, may reflect their efforts to evade detection and to bypass heuristics or network-based security measures.
UNC3890 Attack Lifecycle
Establish Foothold
While Mandiant primarily identified post-exploitation implants utilized by UNC3890, there are some findings that shed light about their initial access methodologies. Mandiant identified UNC3890 potentially used the following initial access vectors:
- Watering holes – Mandiant identified a potential watering hole hosted on a login page of a legitimate Israeli shipping company, which was likely compromised by UNC3890. The watering hole was active at least until November 2021, and upon entering the legitimate login page, the user would be sending a POST request with preliminary data about the logged user to an attacker controlled non-ASCII Punycode domain (lirıkedin[.]com, interpreted as xn--lirkedin-vkb[.]com).
The URL structure of the POST request:
hxxps[:]//xn--lirkedin-vkb[.]com/object[.]php?browser=<user_browser>&ip=<user_ip>
When we inspected the watering hole, it was already inactive, but it was most likely used to target clients and users of that Israeli shipping company, in particular, one’s shipping or handling heat-sensitive cargo (based on the nature of the compromised website). We have an additional indication of an attempted targeting of another major Israeli shipping company by UNC3890, which is consistent with the watering hole.
- Credentials harvesting by masquerading as legitimate services – we uncovered several domains resolving to UNC3890’s C2 servers. Some of the domains were masquerading as legitimate services and entities, as can be observed in the table below. UNC3890 may have used these domains to harvest credentials to legitimate services, to send phishing lures, or to overall mask their activity and blend in with expected network traffic.
It should be noted that many of these domains were hosted on the same infrastructure used by UNC3890, but date back to late 2020, which is before we can corroborate UNC3890 has been active.
| UNC3890 Domain | Legitimate entity/service | Comment |
| lirıkedin[.]com (xn--lirkedin-vkb[.]com) | C2 domain of watering hole | |
| pfizerpoll[.]com | Pfizer | Hosted a fake Citrix login page |
| rnfacebook[.]com | ||
| office365update[.]live | Office 365 | |
| fileupload[.]shop | n/a | |
| celebritylife[.]news | n/a | |
| naturaldolls[.]store | Part of a robotic dolls commercial which was used to harvest credentials and as a lure to install SUGARDUMP | Hosts a fake Outlook login page |
| xxx-doll[.]com |
In addition, we identified an UNC3890 server that hosted several ZIP files containing scraped contents of Facebook and Instagram accounts of legitimate individuals. It is possible they were targeted by UNC3890, or used as lures in a social engineering effort.
Source: https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping