UNC6692 Targets Microsoft Teams to Deploy Snow Malware
- [01] UNC6692 utilizes social engineering on Microsoft Teams to compromise corporate users and deploy a custom malware suite called Snow.
- [02] Environments using Microsoft Teams for external communications are the primary targets of these targeted malware delivery campaigns.
- [03] Administrators should restrict external access in Microsoft Teams and implement strict verification protocols for unsolicited internal or external messages.
The threat actor tracked as UNC6692 has been observed conducting a targeted campaign that leverages Microsoft Teams as a vector for initial access. According to BleepingComputer, this APT group utilizes sophisticated social engineering techniques to deceive employees into installing a modular malware suite dubbed “Snow.” This suite includes several specialized components: a backdoor, a browser extension for data exfiltration, and a tunneling tool to facilitate remote access.
Detecting the UNC6692 Microsoft Teams Malware Campaign
Security teams looking for how to detect UNC6692 Snow malware should prioritize telemetry from collaborative platforms. The attack typically begins with Phishing messages sent via Microsoft Teams, often originating from compromised accounts or external tenants. The actor frequently masquerades as IT support staff or corporate administrative personnel to build trust with the victim. Unlike campaigns that rely on a known CVE, this group focuses on human-centric vulnerabilities to bypass traditional perimeter security.
Monitoring for unauthorized external domains attempting to message internal users is a primary detection strategy. Organizations should ingest Teams logs into their SIEM to identify anomalies, such as unexpected file transfers (specifically LNK or ZIP files) occurring within chat windows. Once the victim interacts with the malicious payload, the execution chain begins, typically resulting in the deployment of the Snow-Core backdoor.
Technical Breakdown of the Snow Malware Suite
The Snow malware suite is characterized by its modularity, allowing the threat actor to adapt to the victim’s environment. The primary components identified include:
- Snow-Core: This serves as the primary backdoor for the group. It is responsible for initial system reconnaissance and establishing a persistent connection to the C2 infrastructure. It is capable of executing arbitrary commands and downloading additional modules.
- Snow-Spy: A malicious extension designed for Chromium-based browsers. This component is particularly dangerous as it allows the actor to intercept web traffic, steal session cookies, and capture credentials in real-time, effectively bypassing multi-factor authentication (MFA) in many scenarios.
- Snow-Tunnel: A utility designed to create secure tunnels between the infected host and the attacker’s server. This facilitates Lateral Movement within the compromised network by proxying traffic through the initial point of entry.
Post-Exploitation and Defensive Posture
During the post-exploitation phase, UNC6692 focuses on maintaining a quiet presence. The use of a browser extension for data theft is a strategic choice that often evades standard EDR solutions, as browser activity is typically viewed as legitimate user behavior. According to the MITRE ATT&CK framework, these techniques align with T1566.002 (Phishing: Spearphishing Link) and T1176 (Browser Extensions).
To defend against this threat, the SOC should enforce strict policies regarding external communication in Teams. Disabling external access or limiting it to a whitelist of trusted domains can significantly reduce the attack surface. Furthermore, end-user training must emphasize that IT support will rarely initiate contact via Teams for sensitive actions like software installation. Defenders should also audit their environments for the presence of unauthorized browser extensions and monitor for unusual outbound traffic patterns associated with the Snow-Tunnel component.
Advertisement