An unknown threat group named UNC6692 has recently been discovered using social engineering tactics through Microsoft Teams to distribute a custom malware suite on compromised devices.
According to a report by Mandiant, UNC6692 impersonates IT help desk employees to deceive victims into accepting a Microsoft Teams chat invitation from an external account, claiming to offer assistance with a spam email issue.
This group has been linked to a large-scale email campaign designed to flood targets’ inboxes with spam emails, followed by engaging targets through Microsoft Teams to gain access to corporate networks for data theft, ransomware deployment, and extortion.
The attackers employ various tactics, including convincing victims to install remote monitoring tools like Quick Assist or Supremo Remote Desktop, which are then weaponized to deliver additional malware payloads.
Recent observations by ReliaQuest show that UNC6692 is increasingly targeting senior-level employees, indicating a shift in their tactics to focus on high-value targets within organizations.
Unlike previous tactics used by similar threat groups, UNC6692 instructs victims to click on a phishing link in a Teams chat, leading to the download of a malicious AutoHotkey script from a threat actor-controlled AWS S3 bucket.
This script initiates reconnaissance activities and installs a malicious browser extension called SNOWBELT on the Edge browser to establish a backdoor for further malicious activities.
The attackers use a gatekeeper script to ensure that the payload is delivered only to intended targets, evading automated security measures.
The phishing page also prompts users to enter their mailbox credentials under the guise of authentication, but in reality, the data is harvested and exfiltrated to another Amazon S3 bucket.
The SNOW malware ecosystem consists of multiple components, including SNOWBELT as a backdoor, SNOWGLAZE for creating secure tunnels, and SNOWBASIN for enabling remote command execution and data exfiltration.
UNC6692’s post-exploitation activities involve lateral movement within the network, privilege escalation, and data exfiltration using various techniques like Pass-The-Hash and utilizing remote management tools.
Overall, UNC6692’s campaign showcases a sophisticated blend of social engineering, custom malware, and malicious browser extensions to exploit victims’ trust in enterprise software providers.
The group leverages legitimate cloud services for payload delivery and command-and-control infrastructure, allowing them to evade traditional security measures effectively.
Another cybersecurity company, Cato Networks, has also reported similar tactics involving help desk impersonation on Microsoft Teams to deploy a trojan called PhantomBackdoor via PowerShell scripts.
This trend highlights the importance of securing collaboration tools like Microsoft Teams and enforcing strict verification processes to prevent unauthorized access and data breaches.
Microsoft has issued warnings about threat actors using Teams for cross-tenant communications to establish control and execute malicious activities, emphasizing the need for enhanced security measures.
Ultimately, organizations must remain vigilant against social engineering tactics and continually update their security protocols to defend against evolving cyber threats.
As cyber threats continue to evolve, it is crucial for organizations to stay informed and implement robust security measures to protect their data and networks from malicious actors.
