Threat group UNC6692 has been identified executing a sophisticated multi-stage campaign that combines social engineering with a custom malware suite known as SNOW. The attack begins with email spam followed by impersonation of IT support on Microsoft Teams, leading victims to a malicious landing page hosted on AWS S3. This page employs a "double-entry" psychological trick to harvest credentials and ultimately delivers a renamed AutoHotKey binary to establish an initial foothold.
The SNOW ecosystem consists of three primary components: SNOWBELT (a malicious Chromium extension), SNOWGLAZE (a Python-based WebSocket tunneler), and SNOWBASIN (a Python bindshell). These tools work in tandem to bypass browser sandboxes, facilitate lateral movement, and establish persistent command-and-control. During the later stages of the intrusion, the attackers leveraged techniques such as LSASS memory dumping and Pass-The-Hash to escalate privileges and exfiltrate Active Directory databases (NTDS.dit) using tools like FTK Imager and LimeWire.
This campaign highlights an evolving "living off the cloud" strategy, where threat actors abuse legitimate cloud services like AWS and Heroku to mask malicious traffic. By blending into encrypted, reputable web traffic, UNC6692 successfully bypassed traditional network reputation filters. Defenders are encouraged to monitor for unauthorized browser extensions and unusual Python-based network activity to detect similar modular, cross-platform threats.
Top comments (0)