A newly discovered cyber threat group, identified as UNC6692, is leveraging Microsoft Teams to distribute a complex malware suite known as SNOW. This campaign predominantly employs social engineering tactics, posing significant risks due to its deceptive nature.
Social Engineering and Impersonation Tactics
UNC6692’s operation centers on impersonating IT helpdesk personnel, taking advantage of victims’ trust in well-known collaboration platforms. The attack initiates with a barrage of spam emails designed to create confusion and urgency among recipients. Once the target is overwhelmed, the attackers masquerade as IT support via Microsoft Teams, pretending to resolve the issue they orchestrated.
Cybersecurity analysts at ExtraHOP have detailed this multi-step strategy in a report shared with Cyber Security News. The scheme involves sending a fraudulent Teams invitation, under the guise of IT support, instructing victims to download a patch purportedly to stop the spam influx. This download is a renamed AutoHotkey binary paired with a script, marking the first phase of the SNOW malware deployment.
Components of the SNOW Malware Suite
The SNOW malware toolkit is modular, designed for sustained malicious activity. It includes a harmful browser extension, a tunneling tool built on Python, and a lightweight local backdoor, each playing a role in extending the attacker’s foothold in the network. This setup allows UNC6692 to operate stealthily, avoiding detection while infiltrating deeper into the system.
Once embedded, UNC6692 meticulously navigates through compromised systems, gathering credentials and exploring internal networks. This patient approach enables them to expand their access without triggering security alarms.
Detection and Prevention Strategies
The impersonation strategy is effective due to its mimicry of legitimate corporate support interactions. Many users unwittingly accept external Teams chat requests, especially when they promise to resolve existing issues. Victims are directed to a phishing page masquerading as a mailbox repair utility, which repeatedly asks for login credentials under the pretense of verification.
Security teams are advised to scrutinize unusual browser extension installations and scheduled tasks that launch Microsoft Edge in a hidden mode. It is also vital to monitor unexpected outbound connections to unfamiliar endpoints.
Organizations should restrict external chat permissions on Microsoft Teams to only approved contacts and train staff to handle unsolicited helpdesk communication with caution. Additionally, blocking unapproved file sharing and enforcing verification protocols for remote assistance can significantly reduce exposure to such threats.
Conclusion and Future Outlook
This campaign by UNC6692 demonstrates a preference for patience and deception over brute force, transforming everyday workplace behaviors into opportunities for deep network compromise. By adopting proactive defense measures and enhancing employee awareness, organizations can better safeguard against this sophisticated form of cyber intrusion.
Security professionals are encouraged to integrate live threat feeds from reliable sources to prevent critical incidents and financial losses. Staying informed is crucial to maintaining robust cybersecurity defenses.
