Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite

MITRE Techniques

• [T1566.002 ] Spearphishing Link – Delivered phishing link via Microsoft Teams to lure the user into the malicious landing page. (‘the attacker sent a phishing message via Microsoft Teams, posing as helpdesk personnel’)
• [T1053 ] Scheduled Task/Job – Created scheduled tasks to launch headless Edge with the malicious extension and to monitor/restore SNOWBELT. (‘two additional scheduled tasks were installed’)
• [T1053.005 ] Scheduled Task – Used Windows Scheduled Task arguments to start Edge with –load-extension pointing to the SNOWBELT extension. (‘–load-extension=”C:UsersAppDataLocalMicrosoftEdgeExtension DataSysEvents”‘)
• [T1059 ] Command and Scripting Interpreter – Used multiple scripting interpreters (AutoHotKey, Python, cmd/powershell) for execution and orchestration. (‘AutoHotKey execution was recorded immediately following the downloads’)
• [T1059.001 ] PowerShell – Executed commands using powershell.exe via SNOWBASIN to perform remote command execution. (‘executes commands via cmd.exe or powershell.exe’)
• [T1059.003 ] Windows Command Shell – Used cmd.exe for command execution and cleanup tasks. (‘Run ‘cmd /c start “” “C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe” …’)
• [T1059.006 ] Python – SNOWGLAZE and SNOWBASIN are Python-based tools used for tunneling and as a local HTTP backdoor. (‘SNOWGLAZE is a Python-based tunneler’)
• [T1059.007 ] JavaScript – SNOWBELT is a JavaScript-based browser backdoor implemented as an extension. (‘SNOWBELT is a JavaScript-based backdoor implemented as a Chromium browser extension.’)
• [T1059.010 ] AutoHotKey & AutoIT – Delivered and executed a renamed AutoHotKey binary and script to bootstrap persistence and extension installation. (‘downloaded a renamed AutoHotKey binary and an AutoHotkey script’)
• [T1204.001 ] Malicious Link – The Teams message directed users to a malicious link that initiated the staged attack. (‘prompted to click a link to install a local patch’)
• [T1204.002 ] Malicious File – The landing page staged malicious files (RegSrvc.exe, Protected.ahk) for local execution. (‘RegSrvc.exe AutoHotKey Executable: Masquerading as a “Registration Service.”‘)
• [T1559 ] Inter-Process Communication – SNOWBELT used chrome.runtime.connectNative and custom protocol handlers to bridge privileged local functionality. (‘uses chrome.runtime.connectNative to establish I/O pipes with local applications’)
• [T1569.002 ] Service Execution – Launched Edge in a windowless/headless mode via scheduled tasks to execute the extension. (‘start “” “C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe” –user-data-dir=… –headless=new –load-extension=…’)
• [T1176.001 ] Browser Extensions – Deployed SNOWBELT as a Chromium extension to gain persistent browser-level foothold. (‘SNOWBELT serves as the initial foothold and the primary “eyes” of the operation’)
• [T1543 ] Create or Modify System Process – Created or modified system processes and tasks to maintain persistence and run headless browsers. (‘a Scheduled Task was present’)
• [T1543.003 ] Windows Service – Used files masquerading as services (RegSrvc.exe) and service-like persistence mechanisms. (‘RegSrvc.exe … Masquerading as a “Registration Service.”‘)
• [T1547.001 ] Registry Run Keys / Startup Folder – Added a shortcut to the Windows Startup folder to ensure AutoHotKey script runs at logon. (‘a shortcut to an AutoHotKey script was added to the Windows Startup folder’)
• [T1547.009 ] Shortcut Modification – Modified shortcuts for persistence and verification of SNOWBELT execution. (‘a shortcut to an AutoHotKey script was added to the Windows Startup folder, which verified SNOWBELT was running’)
• [T1068 ] Exploitation for Privilege Escalation – Took actions to obtain elevated credentials and leverage them to access higher-privilege hosts. (‘After gaining access to the backup server the threat actor utilized the local administrator account’)
• [T1027 ] Obfuscated Files or Information – Employed obfuscation and encoded communications to hinder analysis and detection. (‘T1027: Obfuscated Files or Information’)
• [T1027.010 ] Command Obfuscation – Used obfuscated command flows within scripts and extension code. (‘”command obfuscation”‘)
• [T1027.015 ] Compression – Used compressed archives and packaged portable executables for staging. (‘Compression’)
• [T1036.005 ] Match Legitimate Resource Name or Location – Masqueraded the extension and files under legitimate-sounding names like “MS Heartbeat” or “System Heartbeat.” (‘masquerading under names like “MS Heartbeat” or “System Heartbeat”‘)
• [T1055 ] Process Injection – Employed techniques to run malicious functionality within or alongside legitimate processes (e.g., headless Edge cleaning and CoreUIComponents checks). (‘tasklist /M CoreUIComponents.dll | findstr “%p”‘)
• [T1070.004 ] File Deletion – Removed downloaded artifacts and caches via internal extension commands like delete_cache. (‘”delete_cache”===cmdType’)
• [T1112 ] Modify Registry – Performed registry queries and potential modifications as part of discovery and persistence. (‘Query Registry’)
• [T1134 ] Access Token Manipulation – Used credential tooling and pass-the-hash style techniques to impersonate elevated accounts. (‘Pass-The-Hash is a common technique used by threat actors’)
• [T1134.001 ] Token Impersonation/Theft – Leveraged stolen credentials and extracted memory to impersonate accounts. (‘utilized the local administrator account to extract the system’s LSASS process memory’)
• [T1140 ] Deobfuscate/Decode Files or Information – Decrypted manifests and C2 data (AES-GCM) to obtain configuration and commands. (‘The manifest retrieved from this registry is decrypted via AES-GCM using a key derived from SHA256’)
• [T1202 ] Indirect Command Execution – Relayed commands through SNOWBELT to SNOWBASIN which executed them locally. (‘It relays decrypted C2 commands … to SNOWBASIN via HTTP POST requests’)
• [T1562.001 ] Disable or Modify Tools – Performed cleanup of non-conforming headless Edge processes to maintain malicious runtime. (‘The threat actor uses this command to essentially “clean up” headless Edge processes that execute their malware.’)
• [T1564.001 ] Hidden Files and Directories – Hid components within browser extension directories and local AppData paths to avoid detection. (‘C:UsersAppDataLocalMicrosoftEdgeExtension DataSysEventsbackground.js’)
• [T1622 ] Debugger Evasion – Used gatekeeper checks and sandbox evasion logic on the landing page to avoid automated analysis. (‘gatekeeper script designed to ensure the payload is delivered only to intended targets while evading automated security sandboxes.’)
• [T1003.001 ] LSASS Memory – Extracted LSASS process memory from a backup server to obtain credentials. (‘extract the system’s LSASS process memory with Windows Task Manager.’)
• [T1003.002 ] Security Account Manager – Collected SAM registry hives via FTK Imager for credential extraction. (‘FTK Imager wrote the … Security Account Manager (SAM) , SYSTEM, and SECURITY registry hives to the Downloads folder.’)
• [T1003.003 ] NTDS – Extracted NTDS.dit from a Domain Controller using FTK Imager to harvest AD credentials. (‘FTK Imager wrote the Active Directory database file (NTDS.dit) … to the Downloads folder.’)
• [T1110.001 ] Password Guessing – Harvested user credentials via a deceptive credential prompt that intentionally rejects entries to capture repeated correct passwords. (‘it is programmed to reject the first and second password attempt as incorrect’)
• [T1110.003 ] Password Spraying – Conducted large email volume and likely multi-account engagement to create opportunity and potential credential misuse. (‘conducted a large email campaign designed to overwhelm the target with messages’)
• [T1552.001 ] Credentials In Files – Uploaded harvested credentials and metadata to attacker-controlled S3 buckets. (‘validated credentials and metadata are uploaded directly to an attacker-controlled Amazon S3 bucket’)
• [T1007 ] System Service Discovery – Performed reconnaissance and service checks during internal discovery and lateral movement. (‘initial reconnaissance commands and the installation of SNOWBELT’)
• [T1012 ] Query Registry – Queried registry and system configuration as part of discovery and persistence. (‘Query Registry’)
• [T1016 ] System Network Configuration Discovery – Scanned the local network for open ports (135, 445, 3389) to identify lateral movement targets. (‘using a Python script to scan the local network for ports 135, 445, and 3389.’)
• [T1018 ] Remote System Discovery – Used network scanning and enumeration tools to find remote systems and services for lateral movement. (‘scan the local network for ports 135, 445, and 3389’)
• [T1033 ] System Owner/User Discovery – Executed commands to enumerate users and local admin accounts for targeted credential collection. (‘execute commands to enumerate local administrator accounts.’)
• [T1046 ] Network Service Discovery – Conducted port scans to discover vulnerable or accessible services (RPC, SMB, RDP). (‘scan the local network for ports 135, 445, and 3389’)
• [T1057 ] Process Discovery – Queried running processes and DLL mappings to identify and manage headless Edge instances. (‘tasklist /M SHELL32.dll ^| findstr “msedge.exe”‘)
• [T1082 ] System Information Discovery – Collected host and system details during reconnaissance and staging. (‘initial reconnaissance commands’)
• [T1083 ] File and Directory Discovery – SNOWBASIN supports directory listings and file readings for data staging. (‘If a folder is provided, it returns a full directory listing’)
• [T1087.001 ] Local Account – Enumerated local accounts and administrative users to identify escalation paths. (‘enumerate local administrator accounts’)
• [T1518 ] Software Discovery – Identified installed software and processes to inform exploitation and persistence choices. (‘Software Discovery’)
• [T1021.001 ] Remote Desktop Protocol – Initiated an RDP session via the SNOWGLAZE tunnel to a backup server for further access. (‘initiated an RDP session via the SNOWGLAZE tunnel from the victim system to a backup server.’)
• [T1021.002 ] SMB/Windows Admin Shares – Enumerated authenticated SMB shares as a potential credential or data discovery vector. (‘authenticated Server Message Block (SMB) share enumeration’)
• [T1005 ] Data from Local System – Collected files (NTDS.dit, SAM, SYSTEM, SECURITY) and staged them for exfiltration. (‘FTK Imager wrote the Active Directory database file (NTDS.dit) … The extracted files were then exfiltrated from the network via LimeWire.’)
• [T1074 ] Data Staged – Staged extracted artifacts in the Domain Administrator’s Downloads folder and via SNOWBASIN buffers for exfiltration. (‘FTK Imager … wrote … to the Downloads folder.’)
• [T1113 ] Screen Capture – Captured screenshots of active sessions and targeted applications on Domain Controllers. (‘EDR telemetry logged the threat actor performing screen captures on the Domain Controllers’)
• [T1560 ] Archive Collected Data – Packaged artifacts for exfiltration (ZIP archives and archived tool outputs). (‘downloaded a ZIP archive containing a portable Python executable and required libraries.’)
• [T1560.001 ] Archive via Utility – Used utilities (FTK Imager) to create copies/archives of critical system/data artifacts. (‘FTK Imager executed and mounted the local storage drive’)
• [T1020 ] Automated Exfiltration – Automated exfiltration of staged artifacts via cloud and peer-to-peer channels (LimeWire). (‘exfiltrated it via LimeWire.’)
• [T1567 ] Exfiltration Over Web Service – Uploaded stolen credentials and data to attacker-controlled cloud storage (S3). (‘uploaded directly to an attacker-controlled Amazon S3 bucket’)
• [T1567.002 ] Exfiltration to Cloud Storage – Specifically used AWS S3 buckets to receive stolen credentials and artifacts. (‘service-page-18968-2419-outlook.s3.us-west-2.amazonaws.com’)
• [T1071.001 ] Web Protocols – Used WebSocket (wss) and HTTP(S) protocols for C2 and proxying. (‘establishes a WebSocket connection to a static C2 host using hard-coded credentials.’)
• [T1090 ] Proxy – SNOWGLAZE provided SOCKS proxy capability via WebSocket tunnels to proxy arbitrary TCP traffic. (‘facilitates SOCKS proxy operations, allowing arbitrary TCP traffic to be routed through the infected host.’)
• [T1105 ] Ingress Tool Transfer – Downloaded tools and payloads (AutoHotKey binary, portable Python, FTK Imager) from cloud-hosted locations. (‘downloaded a renamed AutoHotKey binary … from a threat actor-controlled AWS S3 bucket.’)
• [T1572 ] Protocol Tunneling – Wrapped TCP traffic in JSON/Base64 over WebSockets to tunnel traffic through compromised hosts. (‘masks malicious traffic by wrapping data in JSON objects and Base64 encoding it for transfer via WebSockets.’)
• [T1489 ] Service Stop – Terminated non-conforming Edge processes and used taskkill to remove interfering instances. (‘taskkill /F /PID %p’)
• [T1608.002 ] Upload Tool – Used cloud uploads (S3 PUT) to transfer harvested credentials and artifacts to the attacker’s infrastructure. (‘The validated credentials and metadata are uploaded directly to an attacker-controlled Amazon S3 bucket’)
• [T1608.005 ] Link Target – Hosted phishing landing pages and staged payloads on attacker-controlled S3 URLs and CloudFront subdomains. (‘https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html?email=.com’)