Snowfall: A Threat Actor’s Deployment through Microsoft Teams

Hackers Deploy New Snow Custom Malware Suite via Microsoft Teams

A cyber threat group known as UNC6692 has been identified using social engineering tactics to distribute a new and sophisticated malware suite called “Snow.” This suite includes a browser extension, a tunneler, and a backdoor, all designed to infiltrate networks and steal sensitive data through methods such as credential theft and domain takeovers.

According to researchers from Google’s Mandiant, the attackers employ a tactic known as “email bombing” to create a sense of urgency. They then reach out to their targets via Microsoft Teams, posing as IT helpdesk agents to deceive users.

A recent report from Microsoft has shed light on the increasing popularity of this cybercrime tactic. By tricking users into granting remote access, attackers can gain control over a victim’s system using tools like Quick Assist.

UNC6692’s modus operandi involves prompting victims to click on a link under the guise of installing a patch to block email spam. However, the link actually downloads a dropper that installs a malicious Chrome extension known as “SnowBelt.”

The Chrome extension operates discreetly on a headless Microsoft Edge instance, ensuring that the victim remains unaware of its presence. Additionally, the malware establishes persistence through scheduled tasks and a startup folder shortcut.

SnowBelt serves as both a persistence mechanism and a relay for commands sent by the attacker to a Python-based backdoor named SnowBasin. Communication between the infected host and the command-and-control infrastructure is masked using a tunneler tool called SnowGlaze.

SnowGlaze not only masks communications but also facilitates SOCKS proxy operations, enabling the routing of arbitrary TCP traffic through the infected host.

On the other hand, SnowBasin runs a local HTTP server and executes CMD or PowerShell commands provided by the attacker. The results are relayed back through the same communication pipeline.

The malware’s functionalities include remote shell access, data exfiltration, file downloads, screenshot capturing, and basic file management operations. The attacker can also issue a self-termination command to shut down the backdoor on the host.

Post-compromise, Mandiant discovered that the attackers conducted internal reconnaissance by scanning for vulnerable services like SMB and RDP to identify potential targets. They then moved laterally within the network.

By dumping LSASS memory to extract credential material and using pass-the-hash techniques, the attackers escalated their privileges to access additional hosts, ultimately reaching domain controllers.

During the final phase of the attack, the threat actors utilized FTK Imager to extract sensitive data such as the Active Directory database, SYSTEM, SAM, and SECURITY registry hives. This information was exfiltrated using LimeWire, granting the attackers access to crucial credential data across the domain.

The report also provides a comprehensive list of indicators of compromise (IoCs) and YARA rules to aid in the detection of the “Snow” malware toolset.