UNC6692 uses social engineering and Microsoft Teams helpdesk impersonation to deploy a custom malware suite called “Snow,” which combines a Chrome extension, a tunneler, and a Python backdoor to establish covert persistence and relay commands. The group conducts deep network compromise—dumping LSASS, using pass-the-hash, and exfiltrating Active Directory data (via FTK Imager and LimeWire) to steal credentials and take over domains. #Snow #UNC6692
Keypoints
- UNC6692 uses “email bombing” and Teams-based helpdesk impersonation to pressure targets into installing a malicious patch.
- The Snow toolset is deployed via a dropper that runs AutoHotkey scripts and installs the SnowBelt Chrome extension on a headless Edge instance.
- SnowGlaze creates a WebSocket tunnel and SOCKS proxy to mask C2 communications and route arbitrary TCP traffic through infected hosts.
- SnowBasin runs a local HTTP server, executes attacker-supplied commands, supports remote shell and data exfiltration, and can capture screenshots and manage files.
- Post-compromise activity includes SMB/RDP scanning, LSASS memory dumps, pass-the-hash lateral movement, and exfiltration of AD data—Mandiant published IoCs and YARA rules to detect Snow.