A Persian-speaking threat group called UNC3890 has been discovered that targets industries ranging from healthcare to energy, with a particular focus on the shipping sector. According to experts, the campaign uses social engineering lures transmitted via email and a watering hole hosted on a legitimate login page of an Israeli shipping company to disguise the activity.
The hacker group has also targeted some global companies, indicating that their activity may go beyond Israel, although there is no known target outside of Israel as of yet. Experts said the group is linked to Iran or so it is believed and found some technical traces that point to an Iranian link, such as the use of Persian, including the word “joda”, which means “God”.
The group appeared to pursue activities that would support Iranian interests and operations, including shipping groups handling sensitive components. The attacks targeting Israeli entities were similar to those of other Iranian attackers.
While the exact method of initial entry is unknown, it is suspected to be a combination of watering holes, credential harvesting by posing as legitimate services, and fraudulent job offers for a software developer position at data analytics company LexisNexis.
One of UNC3890’s most recent attempts to target victims involves the use of a video commercial for AI-based robot puppets, which are used as decoys to deliver SUGARDUMP.
SUGARUSH, the second custom malware, works by connecting to an embedded C2 server to execute arbitrary CMD commands from the attacker, giving the attacker full control over the victim’s environment upon first access, so be aware of the use of this tool.