Google Threat Intelligence Group and Mandiant disclosed a multistage intrusion campaign by UNC6692 that combines persistent social engineering, abuse of AWS S3, and custom modular malware to steal credentials. The attackers used AutoHotkey stagers and a malicious Chromium extension (SNOWBELT) to deploy tools like Snowglaze and Snowbasin, extract LSASS memory via LimeWire, and move laterally with pass-the-hash. #UNC6692 #SNOWBELT
Keypoints
- UNC6692 uses coordinated email flooding and Microsoft Teams social engineering to trick targets into installing a malicious βpatch.β
- Attackers hosted payloads on an AWS S3 bucket and delivered a malicious Chromium extension named SNOWBELT to the victim browser.
- Deployed components include an AutoHotkey stager, Snowglaze (Python tunneler), Snowbasin (Python bindshell), and a portable Python runtime.
- The threat actor dumped LSASS memory via LimeWire and leveraged pass-the-hash to move laterally to the domain controller.
- Google and Mandiant published IOCs and YARA rules and urged defenders to monitor browser activity and cloud egress for early detection.
Read More: https://www.darkreading.com/cloud-security/unc6692-social-engineering-malware-cloud-abuse