Post by Mandiant (part of Google Cloud)

219,292 followers

A newly tracked threat group, UNC6692, is bypassing defenses by impersonating IT on Microsoft Teams to deploy the custom SNOW malware ecosystem. Google Threat Intelligence Group has identified a highly coordinated intrusion campaign. UNC6692 initiates contact by overwhelming a target's email with messages to create a sense of distraction. They then offer assistance via a Teams message, posing as helpdesk personnel providing a local patch. Victims are directed to a malicious "Mailbox Repair Utility" landing page that pushes them into a specific Microsoft Edge environment. Once there, UNC6692 employs a psychological "double-entry" credential harvesting trick. The prompt intentionally rejects the first two password attempts. This serves to reinforce the user's belief that the system is legitimately validating their login, while ensuring the attacker captures typo-free credentials. The data is then uploaded directly to an attacker-controlled Amazon S3 bucket. This initial access enables the deployment of their modular malware pipeline: šŸ”¹ SNOWBELT: A malicious Chromium browser extension that acts as the initial foothold and persistent backdoor, relaying commands without requiring constant re-authentication. šŸ”¹ SNOWGLAZE: A Python-based tunneler that establishes a secure WebSocket connection to command-and-control infrastructure, masking malicious activity as encrypted web traffic. šŸ”¹ SNOWBASIN: A Python bindshell that operates as a local HTTP server, providing the functional interactive control for remote command execution, screenshot capture, and data staging. Armed with elevated access, UNC6692 moves laterally to domain controllers using Pass-The-Hash techniques. They systematically extract LSASS process memory, the Active Directory database, and registry hives, eventually exfiltrating the data out of the network via LimeWire. This campaign highlights a dangerous "living off the cloud" strategy. By hosting malicious components on trusted cloud platforms, attackers can bypass traditional network reputation filters and blend into a high volume of legitimate traffic. To detect these modern methodologies, defenders must expand visibility beyond traditional process monitoring and focus on correlating disparate events across browser activity and unauthorized cloud egress points. Read the full analysis and get indicators of compromise. āž”ļø https://goo.gle/425HxYm

Post content