Iranian UNC3890 Targets Israel’s Key Sectors

Iran’s attack on Israeli networks

• While it is primarily focused on Israel, some of its targets are global entities, mostly from the shipping industry.
• The threat group aims for intelligence collection, which may be used to support different actions, such as performing hack-and-leak and kinetic warfare attacks.

Tactics employed by hackers

• The group’s C2 servers masquerade as genuine services to collect credentials and send phishing lures.
• The servers host domains and fake login pages spoofing genuine services such as Office 365, and social networks (LinkedIn and Facebook) to spread fake job offers and commercials. 
• Additionally, the researchers have discovered a UNC3890 server loaded with scraped Facebook and Instagram information that could employ in social engineering attacks.

Tools in use

• One phishing lure used by the attackers is believed to be a .xls file masked as a job offer yet designed to install Sugardump (three versions found), a unique tool known to be used for credential harvesting. 
• Another tool is Sugarush, a backdoor for establishing a connection with C2 and executing CMD commands. 
• Other tools are Unicorn, a tool for performing PowerShell downgrade attacks and injecting a shellcode, Metasploit, and Northstar C2 (an open-source C2 framework for penetration testing).

Stay safe