A threat group tracked as UNC6692 uses email bombing followed by Microsoft Teams calls impersonating IT helpdesk agents to deploy a custom malware suite named Snow. Victims are tricked into clicking links for fake email spam patches, which actually execute AutoHotkey scripts that install a malicious Chrome extension called SnowBelt. The extension runs on a headless Microsoft Edge instance without victim awareness, establishing persistence through scheduled tasks and startup folder shortcuts.
SnowBelt serves as a relay mechanism for commands sent to a Python-based backdoor named SnowBasin, with communications masked through a WebSocket tunnel created by a tool called SnowGlaze. SnowGlaze also enables SOCKS proxy operations, routing arbitrary TCP traffic through infected hosts, while SnowBasin runs a local HTTP server to execute attacker-supplied commands and relay results back. The backdoor supports remote shell access, data exfiltration, file downloads, screenshot capture, and self-termination.
Post-compromise activities included internal reconnaissance scanning for SMB and RDP services, lateral movement, LSASS memory dumping for credential extraction, and pass-the-hash techniques to reach domain controllers. Attackers ultimately deployed FTK Imager to extract Active Directory databases along with SYSTEM, SAM, and SECURITY registry hives, exfiltrating the data using LimeWire. UNC6692's goal is deep network compromise through credential theft and domain takeover for sensitive data theft. Mandiant has released indicators of compromise and YARA rules to help detect the Snow toolset across affected environments.
Read more...