Full Report
A threat group tracked as UNC6692 uses social engineering to deploy a new "Snow" malware set that includes a browser extension, a tunneler, and a backdoor. [...]
Analysis Summary
# Threat Actor: UNC6692
## Attribution & Identity
* **Name/Alias:** UNC6692
* **Associations:** While specifically tracked by Mandiant, the actor utilizes social engineering tactics (Microsoft Teams impersonation) that align with broader trends recently observed in the cybercrime ecosystem. No specific state-sponsored attribution or named group aliases (e.g., APT names) were provided in this report.
## Activity Summary
UNC6692 has been observed conducting highly targeted social engineering campaigns designed to deploy a custom malware suite dubbed "Snow." The attacks begin with "email bombing" to create a sense of urgency, followed by the actor impersonating IT helpdesk personnel via Microsoft Teams. The ultimate objective is deep network compromise, lateral movement to domain controllers, and the exfiltration of Active Directory databases for total domain takeover.
## Tactics, Techniques & Procedures
* **Social Engineering:** Email bombing (denial of service against an inbox) followed by helpdesk impersonation via Microsoft Teams.
* **Initial Access:** Sending malicious links via Teams chat under the guise of an "email spam patch."
* **Persistence:** Scheduled tasks, startup folder shortcuts, and the use of malicious browser extensions.
* **Evasion:** Execution of Chrome extensions on a headless Microsoft Edge instance to remain invisible to the user.
* **C2 Communication:** Use of WebSocket tunnels and SOCKS proxies to mask traffic.
* **Credential Access:** Dumping LSASS memory and using Pass-the-Hash (PtH) techniques.
* **Lateral Movement:** Scanning for SMB and RDP services.
* **Exfiltration/Staging:** Use of third-party tools like FTK Imager to capture AD databases and LimeWire for data exfiltration.
* **MITRE ATT&CK IDs (Inferred):**
* T1566.002 (Phishing: Spearphishing Link)
* T1078 (Valid Accounts)
* T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder)
* View T1176 (Browser Extensions)
* T1003.001 (OS Credential Dumping: LSASS Memory)
* T1550.002 (Use Alternate Authentication Material: Pass the Hash)
* T1090 (Proxy)
## Targeting
* **Sectors:** Organizations using Microsoft Teams and centralized domain management (Active Directory).
* **Geography:** Not specified, but generally targets entities where IT helpdesk impersonation is a viable social engineering vector.
* **Victims:** Enterprise environments with high-value credential material (Domain Controllers).
## Tools & Infrastructure
* **Malware Families (The "Snow" Set):**
* **SnowBelt:** A malicious Chrome/Edge browser extension used for persistence and as a command relay.
* **SnowGlaze:** A tunneler tool that establishes WebSocket tunnels and SOCKS proxies.
* **SnowBasin:** A Python-based backdoor capable of executing CMD/PowerShell, screenshotting, and data exfiltration.
* **Utilities:** AutoHotkey (scripts), FTK Imager (AD data extraction), LimeWire (exfiltration).
* **Infrastructure:** C2 communications masked via WebSockets (URLs/IPs were not explicitly listed in the text but are referenced as available in the original Mandiant report).
* *Note: Ensure all specific IoCs found in linked reports are defanged (e.g., hxxp[://]example[.]com).*
## Implications
UNC6692 demonstrates a high level of operational maturity by combining "noisy" tactics (email bombing) with "stealthy" execution (headless browser extensions). Their ability to move from a single social engineering success to a full Active Directory database extraction poses a critical risk to organizational identity security. This indicates a threat actor focused on high-value data theft and potential long-term ransom or espionage operations.
## Mitigations
* **Identity Defense:** Restricted use of administrative accounts and implementation of phishing-resistant Multi-Factor Authentication (MFA).
* **Teams Security:** Restrict Microsoft Teams communication from external domains and implement "External User" labeling.
* **Endpoint Monitoring:** Monitor for unauthorized execution of AutoHotkey, headless browser instances, and the creation of unexpected scheduled tasks.
* **Active Directory Protection:** Implement Tiered Administration models to prevent "Pass-the-Hash" from reaching Domain Controllers.
* **User Training:** Educate staff on "Helpdesk Impersonation" tactics, specifically highlighting that IT will rarely request remote access or patch installation via a Teams chat link.