SNOW Malware
A previously undocumented threat cluster, tracked as UNC6692, has been identified leveraging advanced social engineering techniques through Microsoft Teams to deploy a custom malware framework known as SNOW Malware. The attackers consistently impersonate IT help desk personnel, persuading targets to accept chat invitations originating from external accounts.
This deception is reinforced by a coordinated email bombing campaign, where victims are flooded with spam messages to create urgency and confusion. Shortly afterward, the attacker initiates contact via Teams, posing as IT support and offering assistance to resolve the fabricated issue. This dual-layered manipulation tactic significantly increases the likelihood of user compliance.
Table of Contents
Legacy Tactics, Modern Impact
The operational pattern mirrors techniques historically associated with affiliates of Black Basta. Despite the group ceasing ransomware operations, its methods persist and remain effective. Security researchers have confirmed that this approach primarily targets executives and senior personnel, enabling initial network access that may lead to data exfiltration, lateral movement, ransomware deployment, and extortion. In observed cases, attacker-initiated chats occurred within seconds of each other, underscoring automation and coordination.
Deceptive Entry Point: The Fake Fix
Unlike traditional attacks relying solely on remote management tools such as Quick Assist or Supremo Remote Desktop, this campaign introduces a modified infection chain. Victims are directed to click a phishing link shared via Teams, presented as a 'Mailbox Repair and Sync Utility v2.1.5.'
The link triggers the download of a malicious AutoHotkey script hosted on an attacker-controlled cloud storage service. A gatekeeper mechanism ensures payload delivery only to intended targets, helping evade automated security analysis. Additionally, the script verifies browser usage and enforces the use of Microsoft Edge through persistent warnings, ensuring compatibility with subsequent malicious components.
SNOWBELT: The Silent Browser Backdoor
The initial script conducts reconnaissance before deploying SNOWBELT, a malicious Chromium-based browser extension. Installed via a headless Edge process using specific command-line parameters, SNOWBELT functions as a covert backdoor. It facilitates the download of additional payloads, including SNOWGLAZE, SNOWBASIN, further AutoHotkey scripts, and a compressed archive containing a portable Python environment.
Simultaneously, the phishing interface presents a 'Configuration Management Panel' with a 'Health Check' feature. This interface prompts users to input mailbox credentials under the guise of authentication, but instead captures and exfiltrates sensitive data to attacker-controlled infrastructure.
Modular Malware Ecosystem: SNOW Framework Breakdown
The SNOW malware suite operates as a coordinated, modular ecosystem designed for persistence, control, and stealth:
- SNOWBELT acts as a JavaScript-based command relay, receiving instructions from the attacker and forwarding them for execution.
- SNOWGLAZE functions as a Python-based tunneling utility, establishing a secure WebSocket connection between the compromised network and the attacker's Command-and-Control server.
- SNOWBASIN serves as a persistent backdoor, enabling remote command execution, file transfers, screenshot capture, and self-removal, while operating as a local HTTP server on multiple ports.
Post-Exploitation: Expanding Control and Extracting Data
Following initial compromise, the threat actor executes a series of actions to deepen access and extract valuable information:
Network reconnaissance is conducted by scanning critical ports, followed by lateral movement using administrative tools and remote desktop sessions tunneled through compromised systems.
Privilege escalation is achieved by extracting sensitive process memory, enabling credential harvesting and unauthorized access to higher-level systems.
Advanced techniques such as Pass-the-Hash are used to compromise domain controllers, after which forensic tools are deployed to collect sensitive data, including directory databases, which are then exfiltrated using file transfer utilities.
Cloud Camouflage: Blending Malicious Traffic with Legitimate Services
A defining characteristic of this campaign is the strategic abuse of trusted cloud infrastructure. Malicious payloads, data exfiltration, and Command-and-Control communications are all routed through legitimate cloud platforms. This approach allows threat activity to blend seamlessly with normal enterprise traffic, effectively bypassing traditional security filters based on reputation or anomaly detection.
Evolving Threat Landscape: Trust as the Primary Target
The UNC6692 campaign highlights a significant evolution in cyberattack strategies, combining social engineering, trusted enterprise tools, and modular malware. By exploiting user trust in widely used platforms and services, attackers increase success rates while minimizing detection. The persistence of legacy tactics alongside innovative delivery mechanisms underscores a critical reality: effective attack strategies can endure long after their original operators disappear.
