UNC6692’s Deceptive Tactics: Impersonating IT Support via Microsoft Teams to Deploy SNOW Malware
A newly identified cyber threat group, designated as UNC6692, has been exploiting social engineering techniques through Microsoft Teams to infiltrate systems with a custom malware suite known as SNOW. This sophisticated campaign underscores the evolving landscape of cyber threats targeting organizational infrastructures.
The Attack Strategy
UNC6692 initiates its attack by overwhelming a target’s email inbox with a deluge of spam messages, creating a sense of urgency and confusion. Capitalizing on this chaos, the attackers then pose as IT support personnel, reaching out via Microsoft Teams to offer assistance in resolving the fabricated email issue. This method of combining email flooding with direct communication through trusted platforms like Teams has been previously associated with groups such as Black Basta, indicating a persistent and effective tactic in the cybercriminal playbook.
Targeting High-Level Executives
Recent analyses reveal a concerning trend: from March 1 to April 1, 2026, 77% of observed incidents targeted senior-level employees, a significant increase from 59% in the preceding two months. This shift highlights a strategic focus on individuals with elevated access privileges, aiming to maximize the impact of the intrusion.
Deployment of Malicious Tools
Unlike traditional methods that rely on convincing victims to install legitimate remote monitoring and management (RMM) tools, UNC6692 employs a more direct approach. Victims are prompted to click on a phishing link shared via Teams, leading to the download of an AutoHotkey script from an attacker-controlled AWS S3 bucket. This script performs initial reconnaissance and installs SNOWBELT, a malicious Chromium-based browser extension, on the Edge browser. The extension facilitates the download of additional malicious components, including SNOWGLAZE and SNOWBASIN, further entrenching the attacker’s presence within the system.
The SNOW Malware Suite
The SNOW malware ecosystem is a modular toolkit designed to achieve various malicious objectives:
– SNOWBELT: A JavaScript-based backdoor that receives commands and relays them to SNOWBASIN for execution.
– SNOWGLAZE: A Python-based tunneler that establishes a secure, authenticated WebSocket tunnel between the victim’s internal network and the attacker’s command-and-control (C2) server.
– SNOWBASIN: A persistent backdoor enabling remote command execution, screenshot capture, file upload/download, and self-termination. It operates as a local HTTP server on ports 8000, 8001, or 8002.
Post-Exploitation Activities
Upon gaining initial access, UNC6692 engages in several post-exploitation actions:
– Network Scanning: Utilizing Python scripts to scan the local network for ports 135, 445, and 3389, facilitating lateral movement.
– Privilege Escalation: Extracting the system’s LSASS process memory using Windows Task Manager to obtain credentials.
– Lateral Movement: Employing the Pass-The-Hash technique to move laterally to domain controllers, downloading and running FTK Imager to capture sensitive data, and exfiltrating it using tools like LimeWire.
Implications and Recommendations
The UNC6692 campaign exemplifies the sophisticated evolution of cyber threats, particularly through the use of social engineering, custom malware, and malicious browser extensions. By exploiting the inherent trust in enterprise software and systematically abusing legitimate cloud services for payload delivery and exfiltration, attackers can often bypass traditional security measures.
To mitigate such threats, organizations should:
– Enhance User Awareness: Educate employees about the risks of social engineering and the importance of verifying unsolicited communications, even from seemingly legitimate sources.
– Implement Multi-Factor Authentication (MFA): Strengthen access controls to reduce the risk of unauthorized access.
– Monitor Network Activity: Regularly review network traffic for unusual patterns that may indicate a breach.
– Restrict External Communications: Limit the ability of external accounts to initiate communications via platforms like Microsoft Teams.
By adopting a proactive and comprehensive security posture, organizations can better defend against the evolving tactics employed by threat actors like UNC6692.
