A threat group tracked as UNC6692 is deploying a custom malware suite called 'Snow' via Microsoft Teams social engineering attacks. Attackers impersonate IT helpdesk agents, use email bombing to create urgency, then trick victims into installing a dropper that loads three components: SnowBelt (a malicious Chrome extension for persistence and command relay), SnowBasin (a Python-based backdoor with remote shell, data exfiltration, and screenshot capabilities), and SnowGlaze (a tunneler masking C2 communications via WebSocket and SOCKS proxy). Post-compromise, attackers perform lateral movement, dump LSASS credentials, use pass-the-hash techniques to reach domain controllers, and exfiltrate the Active Directory database. Google's Mandiant researchers published the report along with IoCs and YARA rules for detection.
Table of contents
Related Articles:Sort: