UNC6692 Social Engineering: Deploying the SNOW Custom Malware Suite
- [01] Immediate impact: UNC6692 uses social engineering via Microsoft Teams to achieve deep network penetration and exfiltrate sensitive Active Directory data.
- [02] Affected systems: Windows enterprise environments using Chromium-based browsers are targeted through malicious AutoHotkey scripts and custom extensions.
- [03] Remediation: Defenders must monitor for unauthorized browser extensions and enforce strict controls on external Microsoft Teams communication and S3 downloads.
Google Threat Intelligence Group (GTIG) has identified a sophisticated multistage intrusion campaign conducted by a newly tracked APT group designated as UNC6692. According to Google Cloud, this actor leverages high-pressure social engineering, custom modular malware, and efficient Lateral Movement to achieve deep penetration within victim environments.
UNC6692 Social Engineering Tactics and Initial Access
The campaign typically begins with a high-volume email flood intended to distract and overwhelm the target. Following this, the actor impersonates IT helpdesk personnel via Microsoft Teams, inviting the victim to a chat from an external account. The attacker provides a link to an attacker-controlled Amazon S3 bucket, claiming it contains a “local patch” to resolve the email spamming issue.
Once the victim clicks the link, they are directed to a phishing landing page masquerading as a “Mailbox Repair and Sync Utility.” This page performs environment checks to ensure the victim is using Microsoft Edge; if not, it prompts them to switch browsers to ensure the success of subsequent exploits. The landing page further utilizes a “double-entry” credential harvesting technique, rejecting the first two password attempts to ensure accuracy and legitimacy in the eyes of the user. This represents a highly effective example of UNC6692 social engineering tactics designed to bypass initial user skepticism.
The SNOW Malware Ecosystem
The intrusion relies on a custom modular suite referred to as the SNOW ecosystem, consisting of three primary components: SNOWBELT, SNOWGLAZE, and SNOWBASIN.
SNOWBELT: The Browser Foothold
SNOWBELT is a JavaScript-based backdoor delivered as a Chromium browser extension. It does not reside in official stores but is side-loaded during the initial infection phase. It maintains persistence via Service Worker Alarms and establishes a C2 channel using a time-based algorithm to calculate S3 bucket URLs. SNOWBELT acts as the primary relay, intercepting commands and proxying them to other components on the host. To improve responsiveness, it utilizes the browser’s Push Notification service to “wake up” the extension for immediate command execution.
SNOWGLAZE Python Tunneler Analysis
Once a foothold is secured, the actor deploys SNOWGLAZE, a Python-based utility designed to manage network logistics. Our SNOWGLAZE Python tunneler analysis reveals it establishes a secure WebSocket tunnel between the victim’s network and a Heroku-hosted C2. This component supports SOCKS proxy operations, allowing the attacker to route arbitrary TCP traffic through the infected host while masking the activity as standard encrypted web traffic.
SNOWBASIN: The Local Command Hub
SNOWBASIN operates as a local HTTP server (typically on port 8000) that functions as a persistent backdoor. It enables RCE via cmd.exe or PowerShell, captures screenshots, and stages data for exfiltration. Commands received by the SNOWBELT extension are forwarded to SNOWBASIN via local HTTP POST requests, creating a stealthy internal communication loop.
### How to Detect SNOWBELT Browser Extension and Malicious AHK Scripts
Detection of this activity requires a multifaceted approach. Security teams should monitor for the execution of AutoHotkey (AHK) binaries, particularly those renamed to mimic legitimate system services like RegSrvc.exe. Furthermore, identifying how to detect SNOWBELT browser extension installations involves auditing the Extension Data directories within Microsoft Edge and Chrome for unrecognized manifest files or background scripts like background.js and helper.html that are not sourced from the Web Store.
UNC6692 has demonstrated the ability to move from initial access to full domain compromise rapidly. After establishing a tunnel via SNOWGLAZE, the actor performed internal port scanning and used Privilege Escalation techniques, such as dumping the LSASS process memory via Task Manager, to obtain administrative credentials. This enabled Lateral Movement to Domain Controllers using Pass-The-Hash, where the actor utilized FTK Imager to mount local drives and exfiltrate the Active Directory database (NTDS.dit) and associated registry hives.
Mitigation Recommendations
To defend against UNC6692, organizations should prioritize the following actions:
- Restrict External Communications: Limit or disable the ability for users to accept Microsoft Teams invitations from external domains.
- Browser Hardening: Enforce policies that prevent the installation of non-store browser extensions and monitor for headless browser processes (e.g.,
msedge.exe --headless). - Endpoint Monitoring: Use EDR to alert on unauthorized AutoHotkey execution and the creation of unexpected Scheduled Tasks that load browser extensions.
- Credential Protection: Implement Zero Trust principles and protect LSASS memory from unauthorized access to prevent credential theft and subsequent lateral movement.
Advertisement