Threat Actor Uses Microsoft Teams to Deploy New "Snow" Malware

Introduction

A recently identified threat group, UNC6692, has adopted a new method for initial compromise: using Microsoft Teams for social engineering. This group is deploying a custom malware suite named "Snow," which includes a browser extension, a tunneler, and a backdoor. The operation aims at network compromise to facilitate sensitive data exfiltration through credential theft and domain takeover.

This approach demonstrates a continued trend of threat actors exploiting widely used communication and productivity platforms to bypass conventional security measures. By impersonating trusted entities, UNC6692 manipulates targets into executing malicious payloads. This shows the sophistication of modern social engineering tactics.

The deployment of the "Snow" malware represents a calculated effort to establish persistence and achieve full control over compromised environments. Understanding the attack from initial contact to data exfiltration helps organizations implement effective breach detection and prevention strategies against these threats.

UNC6692 Uses Microsoft Teams for Snow Malware Deployment

Mandiant researchers, a division of Google, have identified UNC6692 as a threat group using sophisticated social engineering techniques. The group initiates attacks with "email bombing" tactics designed to create urgency and distress for the target. Following this, attackers contact victims via Microsoft Teams, impersonating legitimate IT helpdesk agents.

This method exploits the trust users place in internal communication platforms and IT support personnel. A recent Microsoft report independently confirmed the increasing prevalence of helpdesk impersonation attacks within cybercrime, often tricking users into granting remote access via tools such as Quick Assist. These tactics show the vulnerability of relying solely on technical controls without adequate user awareness training, similar to prior campaigns exploiting other Microsoft services for initial access, such as the exploitation of Microsoft 365 services for zero-click attacks.

In UNC6692's operations, victims receive a prompt within Microsoft Teams to click a link. This link is falsely presented as a solution for blocking the previously observed email spam. Instead of installing a legitimate patch, the victim downloads and executes a dropper. This dropper then deploys AutoHotkey scripts, which load the "SnowBelt" malicious Chrome extension onto the system.

How does UNC6692 establish initial compromise and persistence?

UNC6692 compromises systems through deceptive social engineering via Microsoft Teams, then executes a dropper that installs a malicious Chrome extension. The attack sequence begins when the victim activates a link provided by the impersonated IT agent, which leads to the installation of SnowBelt, a malicious Chrome extension.

SnowBelt is designed to operate on a headless Microsoft Edge instance, meaning the browser runs without a visible user interface. This ensures the victim remains unaware of the extension's execution. For persistence, the malware creates scheduled tasks and a shortcut in the startup folder, ensuring SnowBelt re-executes across system reboots.

This malicious extension functions as a persistence mechanism and a relay for commands directed at SnowBasin, a Python-based backdoor. Using a headless browser instance is an important technique to maintain stealth during initial infection, preventing immediate detection by the user. Compromising a Microsoft productivity suite for espionage is a recurring theme in modern threats, similar to operations by threat actors exploiting Microsoft Office vulnerabilities for espionage.

What are the components of the "Snow" malware suite?

The "Snow" malware suite developed by UNC6692 comprises three components: SnowBelt, SnowGlaze, and SnowBasin. Each component fulfills a specific role in establishing and maintaining control over the compromised system. This modular design allows for flexibility in attacker operations and evasion of detection.

SnowBelt is the initial malicious Chrome extension deployed, serving as a persistence mechanism. It operates silently within a headless Microsoft Edge instance, relaying commands to the main backdoor. Its function ensures the threat actor's presence on the system.

SnowGlaze acts as a tunneler tool, masking communications between the infected host and the command-and-control (C2) infrastructure. It establishes a WebSocket tunnel, encrypting and obfuscating data exchange to evade network security monitoring. SnowGlaze enables SOCKS proxy operations, routing arbitrary TCP traffic through the compromised host, which aids in lateral movement and covert communication.

SnowBasin is the Python-based backdoor. It runs a local HTTP server on the compromised machine and executes commands supplied by the attacker. These commands can be CMD or PowerShell commands, with their results relayed back to the operator through the SnowGlaze tunnel. The combined functionality of these tools creates a resilient and stealthy channel for system compromise.

The capabilities of SnowBasin are extensive, designed for full control and data exfiltration. These include:

  • Remote shell access: Direct command execution on the compromised system.
  • Data exfiltration: Transfer stolen data from the target network.
  • File download: Retrieve additional tools or malware.
  • Screenshot capturing: Capture screenshots to gain visual intelligence on user activities and sensitive data.
  • Basic file management operations: Manage files and directories on the host.
  • Self-termination command: Remotely shut down the backdoor (useful for covering tracks).

What post-compromise activities did UNC6692 conduct?

Following initial compromise and the establishment of persistence, UNC6692 initiated a series of post-compromise activities focused on internal reconnaissance, lateral movement, and data exfiltration. The objective was to expand control and locate high-value data within the victim's network. This phase is important for achieving the group's main goal of sensitive data theft and domain takeover.

The attackers performed internal reconnaissance, scanning for services such as SMB (Server Message Block) and RDP (Remote Desktop Protocol). This scanning identified additional targets and potential pathways for lateral movement within the network, mapping the internal infrastructure. Such internal mapping helps threat actors understand the environment, similar to how vulnerabilities can expose broader Microsoft 365 tenants to risk, as discussed in instances like the Synology ABM M365 flaw.

Once potential targets were identified, UNC6692 moved laterally across the network. A primary technique involved dumping LSASS (Local Security Authority Subsystem Service) memory to extract credential material. These extracted credentials were then used in pass-the-hash techniques to authenticate to additional hosts without needing plaintext passwords. This allowed the attackers to progressively gain access to more privileged systems, eventually reaching domain controllers.

At the final stage of the attack lifecycle, the threat actor deployed FTK Imager, a legitimate forensic tool. This tool extracted important data, including the Active Directory database, along with the SYSTEM, SAM, and SECURITY registry hives. These files contain sensitive credential data for the entire domain. The data exfiltration was conducted using LimeWire, a peer-to-peer file-sharing application, a method to blend exfiltration traffic with benign network activity or use a readily available tool for transfer.

Technical Takeaways

  • UNC6692 uses Microsoft Teams for social engineering, with "email bombing" creating urgency to deploy custom "Snow" malware.
  • The "Snow" malware suite consists of SnowBelt (malicious Chrome extension for persistence via headless Edge), SnowGlaze (WebSocket tunneler and SOCKS proxy), and SnowBasin (Python-based backdoor for remote command execution and data exfiltration).
  • Post-compromise, UNC6692 conducts internal reconnaissance, LSASS memory dumping, and pass-the-hash techniques for lateral movement, targeting domain controllers.
  • Data exfiltration targets the Active Directory database and important registry hives, using tools like FTK Imager and LimeWire.
  • The attack shows the need for full supply-chain risk monitoring and improved breach detection capabilities against evolving social engineering tactics and custom malware.