Google Threat Intelligence Group identified UNC6692 conducting a campaign that bombarded targets with emails and posed as IT support over Microsoft Teams to lure users to a fake mailbox repair page. The page harvested credentials and silently delivered AutoHotKey binaries that installed the Snowbelt Chromium extension, which, together with Snowglaze and Snowbasin hosted on AWS S3, enabled persistence, lateral movement, credential theft, and exfiltration. #UNC6692 #Snowbelt
Keypoints
- UNC6692 overwhelmed victims with emails and impersonated IT helpdesk staff via Microsoft Teams to initiate the attack.
- The phishing page posed as a mailbox repair utility, harvested credentials via a fake auth prompt, and displayed a fake progress bar to avoid suspicion.
- AutoHotKey binaries and scripts were silently downloaded and executed to install the Snowbelt Chromium extension as the initial backdoor.
- Persistence was achieved through startup AutoHotKey shortcuts and scheduled tasks that launched a windowless Edge process to load the malicious extension.
- Attackers used Snowglaze to tunnel for PsExec and RDP-based lateral movement, dumped LSASS, used Pass‑The‑Hash and FTK Imager to harvest AD/SAM data, and exfiltrated data via LimeWire and S3-hosted payloads.
Read More: https://www.securityweek.com/unc6692-uses-email-bombing-social-engineering-to-deploy-snow-malware/