Malware "Snow" Deployed via Microsoft Teams Threat Actor

Post Views: 5

Sophisticated Threat Actor Uses Microsoft Teams to Deploy Custom Malware Suite “Snow”

A sophisticated threat actor, tracked as UNC6692, has been using social engineering tactics to deploy a newly developed malware suite, codenamed “Snow.”

Custom Malware Bundle

The custom malware bundle consists of a browser extension, a tunneler, and a backdoor, designed to facilitate the theft of sensitive data following deep network compromise through credential theft and domain takeover.

According to a report from Google’s Mandiant researchers, the attacker employs “bombing” tactics to create a sense of urgency, followed by direct contact with targets via Microsoft Teams.

The attackers pose as IT helpdesk agents, requesting victims to click a link to install a patch that supposedly blocks spam. However, the actual outcome is the installation of a dropper that loads SnowBelt, a malicious Chrome extension, onto the victim’s device.

Malicious Extension Operations

The extension operates within a headless Microsoft Edge environment, rendering it imperceptible to the user. Simultaneously, the malware creates scheduled tasks and a startup folder shortcut to ensure persistence on the compromised system. SnowBelt serves as a persistence mechanism and a relay point for commands issued by the operator to a Python-based backdoor named SnowBasin.

Backdoor Capabilities

SnowBasin enables the operator to execute attacker-supplied CMD or PowerShell commands on the infected system, with the results relayed back to the operator through the same communication channel. The malware supports remote shell access, data exfiltration, and file transfer capabilities.

Post-Compromise Activities

Following the initial compromise, the attackers conducted internal reconnaissance, identifying services such as SMB and RDP to target additional hosts. They employed pass-the-hash techniques to authenticate to further hosts and ultimately extracted the Active Directory database, SYSTEM, SAM, and SECURITY registry hives using FTK Imager.

Exfiltration and Data Theft

These files were then exfiltrated from the network using LimeWire, providing the attackers with access to sensitive credential data across the domain.

Indicators of Compromise and Detection Tools

Google’s Mandiant has provided extensive indicators of compromise (IoCs) and YARA rules to aid in detecting the Snow toolset, highlighting the significance of this discovery.