mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-22 14:57:18 +00:00
[threat-actors] Add UNC3890
This commit is contained in:
parent
84fda6ef72
commit
a65bb60d90
1 changed files with 12 additions and 0 deletions
|
@ -12357,6 +12357,18 @@
|
|||
},
|
||||
"uuid": "ce793b99-0cf2-4148-831c-ea5f6a9e0a76",
|
||||
"value": "Carderbee"
|
||||
},
|
||||
{
|
||||
"description": "A suspected Iranian threat activity cluster has been linked to attacks aimed at Israeli shipping, government, energy, and healthcare organizations, in a campaign stretching back to late 2020. Researchers believe that the data harvested during the campaign could be used to support various activities. UNC3890, the threat actor behind the attacks, deployed two proprietary pieces of malware – a backdoor named “SUGARUSH” and a browser credential stealer called “SUGARDUMP”, which exfiltrates password information to email addresses registered with Gmail, ProtonMail, Yahoo and Yandex email services. The threat actor also employs a network of C&C servers that host fake login pages impersonating legitimate platforms such as Office 365, LinkedIn and Facebook. These servers are designed to communicate with the targets and also with a watering hole hosted on the login page of a legitimate Israeli shipping company.",
|
||||
"meta": {
|
||||
"country": "IR",
|
||||
"refs": [
|
||||
"https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/",
|
||||
"https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping"
|
||||
]
|
||||
},
|
||||
"uuid": "27e11cc5-1688-4aea-a98d-96e6c275d005",
|
||||
"value": "UNC3890"
|
||||
}
|
||||
],
|
||||
"version": 289
|
||||
|
|
Loading…
Reference in a new issue