"email bombing"
That brief, quoted phrase—attributed to Google’s Mandiant researchers—summarizes the opening move in a recent intrusion campaign that combined blunt social pressure with a multi-component, bespoke malware suite. The threat group tracked as UNC6692 used staged urgency delivered over email and Microsoft Teams to trick targets into installing what they were told was an anti‑spam patch. Instead, victims received a dropper that unspooled a toolset the researchers labeled “Snow,” enabling prolonged access, credential theft, and ultimately domain compromise.
UNC6692’s Microsoft Teams social-engineering vector
According to Mandiant, UNC6692 began by creating urgency through what researchers called “email bombing,” then followed up directly via Microsoft Teams while posing as IT helpdesk agents. Targets were prompted to click a link to “install a patch” to block incoming spam. The link delivered a dropper that executed AutoHotkey scripts, which in turn loaded a malicious Chrome extension named SnowBelt.
The campaign reflects a broader trend Microsoft has highlighted: threat actors increasingly use collaboration tools and remote‑assistance workflows—Quick Assist and similar utilities—to pressure users into granting access. In this case, the execution path was silent to the end user; SnowBelt operated against a headless Microsoft Edge instance so victims typically did not notice visible browser activity.
The Snow toolset: SnowBelt, SnowGlaze, SnowBasin
The Snow suite comprises three tightly coupled components. SnowBelt is a Chrome extension used both for persistence and as a relay for operator commands. The dropper created scheduled tasks and a startup folder shortcut to maintain persistence while SnowBelt handled command relaying.
SnowGlaze is a tunneler that establishes a WebSocket tunnel between the infected host and operator infrastructure. That same tunneler can be used as a SOCKS proxy, allowing arbitrary TCP traffic to be routed through the compromised machine—masking direct connections between operator and C2 servers.
SnowBasin is a Python‑based backdoor that runs a local HTTP server on the host and executes attacker‑supplied CMD or PowerShell commands. Mandiant reports SnowBasin supports remote shell access, file download, screenshot capture, basic file management, and data exfiltration. Commands and responses flow through the WebSocket/SOCKS pipeline; the operator also retains the option to issue a self‑termination command to remove the backdoor from the host.
Lateral movement, credential theft, and domain takeover
Mandiant observed UNC6692 conducting internal reconnaissance after initial compromise—scanning for services such as SMB and RDP to identify additional targets and then moving laterally across the network. The actors dumped LSASS memory to extract credential material and used pass‑the‑hash techniques to authenticate to other hosts. This chain of actions allowed them to reach domain controllers.
At the apparent culmination of the intrusion, the group deployed FTK Imager to capture the Active Directory database and the SYSTEM, SAM, and SECURITY registry hives. Those files were then exfiltrated using LimeWire, giving the attackers broad access to sensitive credential data across the domain.
Indicators, detection guidance, and what this means for technologists, affected enterprises, and end users
Mandiant’s report includes extensive indicators of compromise (IoCs) and YARA rules intended to detect components of the Snow toolset and its activity. For technologists and security teams: monitor for AutoHotkey droppers, the presence of scheduled tasks and unexpected startup shortcuts, headless browser instances running browser extensions, WebSocket and SOCKS tunneling behavior, LSASS memory dumps, and artifacts from FTK Imager and LimeWire traffic.
For affected enterprises and procurement leaders: review policies and controls governing collaboration tools and remote‑assistance workflows—Microsoft has noted actors exploit those channels—and ensure monitoring covers lateral‑movement techniques (SMB/RDP scanning, pass‑the‑hash authentication attempts) and exfiltration channels that may be tunneled through seemingly legitimate hosts.
For end users and the general public: be skeptical of urgent messages on Teams or other collaboration platforms that press you to click links or accept remote‑assistance offers claiming to fix spam or other operational issues. In the UNC6692 campaign, that click delivered automation scripts and a browser extension that ran silently on a headless browser instance.
UNC6692’s campaign is notable not because it invented a new class of malware, but because it combined a layered social‑engineering approach with a modular toolset that masks operator communications, facilitates proxying of arbitrary traffic, and ultimately enabled credential harvesting and domain compromise. Mandiant’s IoCs and YARA rules are the starting point the report provides to detect Snow; the intrusion chain—from “email bombing” to LimeWire exfiltration of Active Directory and registry hives—offers a detailed playbook for defenders to map observable artifacts to attacker steps.
Original reporting: https://www.bleepingcomputer.com/news/security/threat-actor-uses-microsoft-teams-to-deploy-new-snow-malware/
