UNC6692 Hackers Deploy SNOW Malware via Microsoft Teams Helpdesk Impersonation
Key Takeaways A new threat actor, UNC6692, is leveraging sophisticated social engineering tactics via Microsoft Teams. The group impersonates IT helpdesk personnel to trick users into installing a...
Key Takeaways
- A new threat actor, UNC6692, is leveraging sophisticated social engineering tactics via Microsoft Teams.
- The group impersonates IT helpdesk personnel to trick users into installing a custom malware suite known as SNOW.
- SNOW is a modular toolkit comprising a malicious browser extension, a Python-based tunneling tool, and a local HTTP backdoor designed for stealthy, persistent access.
- The attack chain involves an initial spam flood, followed by a targeted Teams message offering “help,” leading to credential theft and malware deployment.
- Organizations should focus on restricting external Teams communications, enhancing user training, and monitoring for unusual browser and network activity.
UNC6692 Deploys SNOW Malware Through Microsoft Teams Helpdesk Impersonation
A recently identified threat group, designated UNC6692, is actively exploiting Microsoft Teams to deploy a proprietary malware framework dubbed SNOW. This campaign predominantly relies on advanced social engineering, making it particularly insidious as it mimics routine IT support interactions, thereby increasing its likelihood of success against unsuspecting employees.
Table Of Content
The attackers initiate their operations by impersonating internal IT helpdesk staff. They capitalize on the inherent trust users place in familiar collaboration platforms like Microsoft Teams to manipulate victims into inadvertently granting them control over their systems. This method bypasses many traditional security measures by exploiting human vulnerability rather than technical flaws.
The Deceptive Attack Chain
The attack sequence typically commences with a deluge of spam emails targeting a victim’s inbox, creating a sense of urgency and disarray. Amidst this manufactured chaos, the same attacker then contacts the victim directly via Microsoft Teams, posing as a helpful IT support agent offering to resolve the very problem they instigated. This calculated, two-stage approach effectively builds credibility, leading users to believe they are engaging with a legitimate helper rather than an adversary.
Analysts at ExtraHOP said in a report, detailing the coordinated progression of this attack, from initial contact to comprehensive network compromise. Once a victim accepts the fraudulent Teams chat invitation, the attacker transmits a link, claiming it’s a critical patch to halt the spam. Clicking this link initiates the download of a renamed AutoHotkey binary and an accompanying script with an identical filename, both retrieved from an attacker-controlled cloud storage bucket.
This downloaded payload constitutes the initial stage of the SNOW malware ecosystem. SNOW is a sophisticated, modular toolkit engineered for post-breach activities, including a malicious browser extension, a Python-based tunneling utility, and a lightweight local backdoor. Each component plays a crucial role in maintaining persistence and facilitating covert operations long after the initial phishing attempt has faded from memory.
Upon establishing a foothold, UNC6692 proceeds with caution. The group meticulously navigates compromised environments, systematically harvesting credentials, mapping internal networks, and expanding their access without triggering immediate alarms. This patient reconnaissance phase precedes any overt actions that might alert security teams, underscoring the group’s methodical approach to infiltration and data exfiltration.
Exploiting Trust in Microsoft Teams
The effectiveness of UNC6692’s impersonation tactic stems from its uncanny resemblance to legitimate corporate support interactions. Following the initial spam barrage, the attacker sends a Microsoft Teams chat request from an external account, appearing as a benevolent colleague or support agent. Many users, particularly when facing an existing problem, are prone to accepting such external invitations without adequate scrutiny, especially when the message offers a solution to their immediate issue.
Victims are then directed to a phishing page, meticulously crafted to mimic a legitimate mailbox repair and synchronization utility. This page often features a professional interface and a prominent “health check” button. Activating this button triggers a series of login prompts, repeatedly requesting credentials under the guise of “verification.” This multi-stage credential harvesting technique not only captures sensitive authentication details but also enhances their perceived legitimacy, making it harder to detect the theft. The stolen credentials are then covertly transmitted to an attacker-controlled cloud location.
This credential theft serves as the gateway for subsequent malicious activities. Once the AutoHotkey script executes, it performs initial reconnaissance and installs SNOWBELT, a rogue browser extension. This installation is achieved by launching Microsoft Edge in a hidden, “headless” mode, utilizing command-line parameters that bypass standard installation checks and user prompts.
Inside the SNOW Malware Toolkit
The SNOW malware is not a monolithic application but rather a multi-layered framework designed for enduring persistence and stealth. SNOWBELT, the browser extension component, is engineered to operate within the browser environment and maintain its presence even after system restarts. Concurrently, a Python-based tunneling utility, known as SNOWGLAZE, facilitates SOCKS5-style traffic, routing command and control (C2) communications through the compromised host. This technique helps disguise malicious traffic by blending it with legitimate web activity.
Further enhancing the toolkit’s capabilities, a distinct local HTTP backdoor, SNOWBASIN, provides the attackers with a direct channel to issue commands and exfiltrate data. This direct access reduces reliance on external infrastructure that might be more easily detected. The SNOW toolkit also incorporates functionalities for capturing screenshots, exfiltrating files, and terminating sessions, granting the operators granular control over their operational footprint and duration of stealth.
A significant challenge in detecting this campaign lies in the fact that its traffic often leverages legitimate cloud services and standard Windows functionalities. This deliberate obfuscation can lead to it being overlooked by conventional network monitoring systems. Therefore, security teams must proactively monitor for anomalous browser extension installations, scheduled tasks that launch browsers in headless mode, and any unusual outbound connections to unfamiliar endpoints.
What You Should Do
- Restrict External Teams Communications: Limit Microsoft Teams chat permissions to approved contacts only. Disable external chat invitations by default or implement strict policies requiring approval before accepting communications from outside the organization.
- Enhance Employee Training: Conduct regular security awareness training emphasizing the dangers of social engineering, especially helpdesk impersonation. Employees should be trained to verify the identity of IT support personnel through established, secure channels before complying with any requests, particularly those involving software installations or credential inputs.
- Implement Multi-Factor Authentication (MFA): Enforce MFA across all corporate accounts, especially for Microsoft Teams and other collaboration platforms, to significantly reduce the impact of stolen credentials.
- Monitor for Unusual Browser Activity: Deploy endpoint detection and response (EDR) solutions to monitor for suspicious browser extension installations, unauthorized modifications to browser settings, and instances of browsers launching in headless mode or with unusual command-line arguments.
- Control File Sharing and Downloads: Restrict the use of unapproved file-sharing platforms and implement policies requiring verification and scanning of all downloaded executables or scripts, regardless of the source.
- Network Traffic Analysis: Monitor network traffic for unusual outbound connections, particularly those to cloud storage services or unfamiliar IP addresses that deviate from normal operational baselines.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.