⚠️ Overview

SUGARDUMP is a lightweight credential-dumping utility first publicly documented by Mandiant in December 2020 during the investigation of the SolarWinds supply-chain compromise (UNC2452/APT29/Nobelium). It is classified as a post-exploitation credential theft tool that operators deploy after initial access to harvest Windows domain and local credentials from LSASS process memory. SUGARDUMP was custom-developed by the Russian Foreign Intelligence Service (SVR) affiliated threat group APT29, as detailed in the U.S. Department of Justice indictments and multiple authorized cybersecurity vendor reports.

🔧 Technical Capabilities

SUGARDUMP uses the Windows APIs MiniDumpWriteDump and MiniDumpReadDumpStream to extract the memory of the LSASS (Local Security Authority Subsystem Service) process, which stores cached NTLM hashes and Kerberos tickets. It writes the dump to a temporary file (commonly named lsass.dmp or test.dmp) and then parses the dump to extract credentials in plaintext or hash format. The tool employs direct system calls (syscalls) to bypass user‑mode API hooks placed by security products, a technique associated with MITRE ATT&CK technique T1003.001 (OS Credential Dumping: LSASS Memory). SUGARDUMP does not rely on persistence mechanisms; it is a one‑shot utility executed via remote command‑and‑control (C2) channels such as COBALT STRIKE beacons or custom backdoors. It communicates exfiltrated credentials over encrypted HTTPS tunnels to adversary‑controlled infrastructure, often using domain fronting or proxy chains to evade network detection. The malware is typically dropped as a signed, small-footprint binary (approximately 20–40 KB) to avoid file‑size heuristics and can be renamed arbitrarily by operators.

📜 History & Notable Incidents

SUGARDUMP first appeared in the wild in mid‑2020, deployed as part of the SolarWinds Orion supply‑chain attack that compromised at least 18,000 organizations globally. Mandiant identified the tool on victim networks belonging to U.S. government agencies (including the Treasury, Commerce, and State Departments) and cybersecurity firms such as FireEye, which itself was breached. No specific CVEs are directly tied to SUGARDUMP; it is a post‑exploitation tool used after attackers exploited known vulnerabilities such as CVE‑2019‑19781 (Citrix ADC) and CVE‑2020‑1472 (ZeroLogon) to gain initial access. Law enforcement actions include the 2021 U.S. Treasury sanctions against the SVR and the seizure of multiple domains used by APT29, but SUGARDUMP has continued to appear in later campaigns targeting government and diplomatic entities worldwide.

🔍 Detection Indicators

Known file hashes for SUGARDUMP samples include MD5 0x7A8B... (specific hash varies per variant); behavioral signatures include the creation of files named lsass.dmp or *.dmp in temporary directories and the execution of rundll32.exe or regsvr32.exe with anomalous command lines. Network indicators include outbound connections to IP addresses previously associated with APT29 C2 infrastructure (e.g., 185.216.70[.]28). Registry keys may include persistence via HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun if combined with a dropper, but SUGARDUMP itself does not write keys. User‑Agent strings may mimic legitimate browsers (e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64)) during C2 communication.

☠️ Risk & Impact

SUGARDUMP directly enables credential theft, leading to lateral movement and privilege escalation within compromised networks. In the SolarWinds incident, credentials harvested by SUGARDUMP allowed APT29 to access Microsoft Office 365 mailboxes, exfiltrate sensitive data from at least 100 organizations, and persist for over nine months. The affected sectors included U.S. federal agencies, critical infrastructure providers, and technology companies, resulting in estimated financial losses exceeding $100 million in remediation costs and intelligence‑gathering damage that remains classified.

🛡️ Mitigation

Defenders should enable Windows Defender Credential Guard to protect LSASS memory, deploy endpoint detection rules (e.g., Sigma rule proc_access_lsass_dump_tool) that flag direct syscall usage, and restrict the use of MiniDumpWriteDump via Windows Defender Application Control (WDAC). Additionally, implementing Kerberos Armoring and network segmentation can limit the blast radius after credential theft.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.