A deep dive into the latest social engineering tactics where threat actors use 'email bombing' and Microsoft Teams impersonation to bypass corporate security and install the modular SNOW malware suite.
The cybersecurity landscape is witnessing a sophisticated evolution in social engineering, spearheaded by a threat cluster known as UNC6692. This group has moved beyond traditional phishing, instead leveraging the inherent trust of enterprise collaboration tools like Microsoft Teams to gain initial access to high-value corporate targets.
The intrusion lifecycle typically begins with an aggressive 'email bombing' campaign, flooding a target's inbox to create a sense of urgency and technical distress. Capitalizing on this chaos, the attacker reaches out via Microsoft Teams, posing as an authorized IT help desk representative. By offering a fake solution to the spam problem, they trick the victim into visiting a phishing page titled 'Mailbox Repair and Sync Utility.' This page serves as the gateway for an AutoHotkey script that initiates the deployment of the SNOW malware ecosystem.
Technically, the SNOW suite is highly modular and designed for stealth. It primarily consists of three components:
1. **SNOWBELT:** A malicious Chromium-based extension that acts as a JavaScript backdoor.
2. **SNOWGLAZE:** A Python-based utility that establishes secure WebSocket tunnels, allowing attackers to bypass network filters.
3. **SNOWBASIN:** A persistent backdoor used for executing remote commands, capturing screenshots, and facilitating lateral movement.
Mandiant’s analysis reveals that UNC6692 doesn't stop at initial infection. They frequently move laterally to domain controllers using 'Pass-The-Hash' techniques and exfiltrate sensitive data, such as Active Directory databases, using tools like FTK Imager. This campaign highlights a critical shift: attackers are increasingly abusing legitimate cloud services (like AWS S3) and collaboration platforms to blend in with normal enterprise traffic, making detection significantly harder for traditional security sandboxes.
The intrusion lifecycle typically begins with an aggressive 'email bombing' campaign, flooding a target's inbox to create a sense of urgency and technical distress. Capitalizing on this chaos, the attacker reaches out via Microsoft Teams, posing as an authorized IT help desk representative. By offering a fake solution to the spam problem, they trick the victim into visiting a phishing page titled 'Mailbox Repair and Sync Utility.' This page serves as the gateway for an AutoHotkey script that initiates the deployment of the SNOW malware ecosystem.
Technically, the SNOW suite is highly modular and designed for stealth. It primarily consists of three components:
1. **SNOWBELT:** A malicious Chromium-based extension that acts as a JavaScript backdoor.
2. **SNOWGLAZE:** A Python-based utility that establishes secure WebSocket tunnels, allowing attackers to bypass network filters.
3. **SNOWBASIN:** A persistent backdoor used for executing remote commands, capturing screenshots, and facilitating lateral movement.
Mandiant’s analysis reveals that UNC6692 doesn't stop at initial infection. They frequently move laterally to domain controllers using 'Pass-The-Hash' techniques and exfiltrate sensitive data, such as Active Directory databases, using tools like FTK Imager. This campaign highlights a critical shift: attackers are increasingly abusing legitimate cloud services (like AWS S3) and collaboration platforms to blend in with normal enterprise traffic, making detection significantly harder for traditional security sandboxes.
TAGS:
#Cybersecurity
#Microsoft Teams
#Social Engineering
SHARE: