A New Threat Group Emerges with a Sophisticated Toolset
A threat actor designated UNC6692 has been identified deploying a brand-new, purpose-built malware suite known as "Snow", according to researchers at Google's Mandiant. The campaign blends social engineering with a multi-component malware framework to achieve deep network infiltration, credential harvesting, and ultimately domain takeover.
The Snow toolkit comprises several distinct components: a malicious browser extension, a tunneling utility, and a backdoor. Together, these tools give the attacker persistent, stealthy access to compromised environments while routing communications through obfuscated channels.
How the Attack Begins: Email Bombing and Teams Impersonation
The initial stage of the attack relies on email bombing — flooding a target's inbox with large volumes of messages to create a sense of urgency and confusion. Once the victim is overwhelmed, the attacker contacts them directly through Microsoft Teams, posing as an IT helpdesk agent offering to resolve the email problem.
This tactic mirrors a broader trend highlighted in a recent Microsoft report, which noted the growing abuse of Teams in helpdesk impersonation schemes. Attackers typically attempt to convince victims to grant remote access via tools like Quick Assist or similar remote access utilities.
In UNC6692's case, the victim is directed to click a link that supposedly installs a patch to stop the email spam. In reality, clicking the link delivers a dropper that executes AutoHotkey scripts, which in turn load the first component of the Snow suite: SnowBelt, a malicious Chrome browser extension.
SnowBelt: The Persistence and Relay Layer
Once installed, SnowBelt operates silently within a headless Microsoft Edge instance, meaning the victim sees no visible browser activity. To ensure it survives system reboots, the malware also creates scheduled tasks and places a shortcut in the startup folder as additional persistence mechanisms.
Beyond persistence, SnowBelt acts as a relay, forwarding commands from the operator to a Python-based backdoor called SnowBasin. This layered architecture makes detection and attribution more difficult by separating the command-delivery mechanism from the execution engine.
SnowGlaze: Masking C2 Communications
Communications between the infected host and the attacker's command-and-control (C2) infrastructure are concealed through a tunneling tool named SnowGlaze. This component establishes a WebSocket tunnel to mask traffic flows.
SnowGlaze also enables SOCKS proxy operations, allowing arbitrary TCP traffic to be routed through the compromised machine. This capability lets attackers blend their malicious traffic with legitimate network activity, complicating network-level detection efforts.
SnowBasin: The Backdoor at the Core
At the heart of the Snow suite is SnowBasin, a Python-based backdoor that runs a local HTTP server on the infected system. It receives and executes attacker-supplied CMD or PowerShell commands, relaying results back to the operator through the same WebSocket pipeline established by SnowGlaze.
SnowBasin's capabilities include:
- Remote shell access
- Data exfiltration
- File download and upload
- Screenshot capturing
- Basic file management operations
- A self-termination command to shut down the backdoor on demand
This last feature allows the operator to clean up traces of the backdoor remotely, reducing forensic evidence left behind after an operation concludes.
Post-Compromise Activity: Lateral Movement and Domain Takeover
After gaining an initial foothold, UNC6692 conducts internal reconnaissance, scanning for services such as SMB and RDP to identify additional targets within the network. Mandiant researchers found that the attackers then moved laterally using these discovered pathways.
Credential extraction forms a critical part of the post-compromise phase. The threat actor dumped LSASS memory to harvest credential material, then employed pass-the-hash techniques to authenticate to additional hosts across the environment. This progression eventually led the attackers to the organization's domain controllers.
Final Stage: Active Directory Exfiltration
At the culmination of the attack chain, UNC6692 deployed FTK Imager — a legitimate forensic tool — to extract the Active Directory database, along with the SYSTEM, SAM, and SECURITY registry hives. These files contain comprehensive credential data for all accounts within the domain.
The stolen data was then exfiltrated from the network using LimeWire, granting the attackers broad access to sensitive credential material across the entire domain. This final step effectively hands the attacker near-total control over the target organization's identity infrastructure.
Detection Guidance
Google Mandiant's report on this campaign includes an extensive collection of indicators of compromise (IoCs) as well as YARA rules specifically designed to help security teams detect components of the Snow malware suite. Organizations are strongly encouraged to review these resources and apply them within their detection engineering workflows.
The campaign underscores the continued abuse of trusted collaboration platforms like Microsoft Teams as an initial access vector. Security awareness training should specifically address scenarios in which IT support staff contact employees unsolicited — particularly following unusual inbox activity like email flooding.
Source: BleepingComputer