Microsoft Teams Used to Deliver New Snow Malware
▼ Summary
– A threat group, UNC6692, uses social engineering and a custom malware suite called “Snow” to steal data after deep network compromise via credential theft and domain takeover.
– Attackers use email bombing to create urgency, then pose as IT helpdesk agents on Microsoft Teams to trick victims into clicking a link that installs a malicious Chrome extension via AutoHotkey scripts.
– The SnowBelt extension runs on a headless Microsoft Edge instance for persistence, relaying commands to a Python backdoor named SnowBasin through a WebSocket tunnel created by the SnowGlaze tunneler.
– SnowBasin executes attacker commands, supports remote shell access, data exfiltration, and file management, while attackers perform lateral movement by dumping LSASS memory and using pass-the-hash techniques.
– In the final stage, attackers deploy FTK Imager to extract the Active Directory database and registry hives, exfiltrating them via LimeWire to gain domain-wide credential access.
A newly identified threat group, tracked as UNC6692, is leveraging social engineering tactics to deploy a custom malware suite called “Snow.” This advanced toolkit includes a malicious browser extension, a tunneler, and a backdoor, all designed for deep network compromise and sensitive data theft.
The attackers’ primary goal is credential theft and domain takeover. Once inside a network, they systematically extract valuable data. Google’s Mandiant researchers detail the attack chain, which begins with email bombing to create a sense of urgency. The attacker then contacts the victim via Microsoft Teams, posing as an IT helpdesk agent. This tactic, highlighted in a recent Microsoft report, is gaining traction in the cybercrime world. It tricks users into granting remote access through tools like Quick Assist.
In the UNC6692 campaign, victims are instructed to click a link to install a patch that supposedly blocks spam. Instead, they download a dropper that executes AutoHotkey scripts, loading a malicious Chrome extension named SnowBelt. This extension runs on a headless Microsoft Edge instance, remaining invisible to the user. For persistence, scheduled tasks and a startup folder shortcut are also created.
SnowBelt acts as both a persistence mechanism and a relay for commands sent to a Python-based backdoor called SnowBasin. These commands travel through a WebSocket tunnel established by the tunneler tool SnowGlaze, which masks all communication between the infected host and the command-and-control (C2) infrastructure. SnowGlaze also supports SOCKS proxy operations, allowing arbitrary TCP traffic to be routed through the compromised machine.
SnowBasin runs a local HTTP server and executes attacker-supplied CMD or PowerShell commands, relaying results back through the same pipeline. It supports remote shell access, data exfiltration, file download, screenshot capturing, and basic file management. The operator can also issue a self-termination command to shut down the backdoor.
Mandiant researchers observed that post-compromise, the attackers performed internal reconnaissance, scanning for services like SMB and RDP to identify additional targets. They then moved laterally across the network. The attackers dumped LSASS memory to extract credential material and used pass-the-hash techniques to authenticate to other hosts, eventually reaching domain controllers.
In the final stage, the threat actor deployed FTK Imager to extract the Active Directory database, along with SYSTEM, SAM, and SECURITY registry hives. These files were exfiltrated from the network using LimeWire, granting the attackers access to sensitive credential data across the entire domain.
The report includes extensive indicators of compromise (IoCs) and YARA rules to help detect the Snow toolset. Organizations are urged to monitor for these specific behaviors and artifacts to defend against this sophisticated threat.
(Source: BleepingComputer)