A threat group tracked as UNC6692 actively uses social engineering to deploy a new, custom malware suite named “Snow,” which includes a browser extension, a tunneler, and a backdoor.
Specifically, the group aims to steal sensitive data after achieving deep network compromise through credential theft and domain takeover.
According to Google’s Mandiant researchers, the attacker uses “email bombing” tactics to create urgency, then contacts targets via Microsoft Teams, posing as IT helpdesk agents.
Moreover, a recent Microsoft report highlights the growing popularity of this tactic in the cybercrime space, as attackers trick users into granting remote access via Quick Assist or other remote access tools.
In the case of UNC6692, the victim receives a prompt to click a link to install a patch that would block email spam. However, in reality, the victim downloads a dropper that executes AutoHotkey scripts, which load “SnowBelt,” a malicious Chrome extension.
Malicious page used in the attacks
Source: Google
Stealth and Persistence Mechanisms
Subsequently, the extension executes on a headless Microsoft Edge instance, so the victim notices nothing, while the attacker also creates scheduled tasks and a startup folder shortcut to maintain persistence.
At this stage, SnowBelt acts both as a persistence mechanism and as a relay for commands that the operator sends to a Python-based backdoor named SnowBasin.
Next, the attacker delivers commands through a WebSocket tunnel established by a tunneler tool called SnowGlaze, which masks communications between the host and the command-and-control (C2) infrastructure.
In addition, SnowGlaze facilitates SOCKS proxy operations, allowing arbitrary TCP traffic to route through the infected host.
Meanwhile, SnowBasin runs a local HTTP server and executes attacker-supplied CMD or PowerShell commands on the infected system, relaying the results back to the operator through the same pipeline.
Capabilities of the Snow Malware Suite
As a result, the malware enables remote shell access, data exfiltration, file downloads, screenshot capture, and basic file management operations.
Furthermore, the operator can issue a self-termination command to shut down the backdoor on the host.
SnowBasin capabilities
Source: Google
After gaining access, Mandiant found that the attackers perform internal reconnaissance, scanning for services such as SMB and RDP to identify additional targets, and then move laterally across the network.
To escalate access, the attackers dump LSASS memory to extract credential material and use pass-the-hash techniques to authenticate to additional hosts, eventually reaching domain controllers.
Data Exfiltration and Final Stage
Finally, at the last stage of the attack, the threat actor deploys FTK Imager to extract the Active Directory database, along with SYSTEM, SAM, and SECURITY registry hives.
Afterward, the attackers exfiltrate these files from the network using LimeWire, gaining access to sensitive credential data across the domain.
Attack lifecycle
Source: Google
Overall, the report provides extensive indicators of compromise (IoCs) and also YARA rules to help detect the “Snow” toolset.
Source: BleepingComputer, Bill Toulas
Read more at Impreza News
