Recently, a hacking group known as UNC6692 has been caught using a clever method to launch a new malware suite called “Snow.” This toolkit is made to steal sensitive information by compromising networks, taking control of domains, and stealing credentials.
Experts from Google’s Mandiant say these attackers use social engineering tactics. They create a sense of urgency by bombarding victims with emails, making them feel compelled to act quickly. Victims are then contacted via Microsoft Teams, with the hackers impersonating IT support personnel.
A report from Microsoft suggests this method is gaining traction in the cybercrime world. By tricking users into granting access through tools like Quick Assist, the attackers can infiltrate networks more easily.
In one incident, victims are fooled into downloading what they think is a beneficial patch to block spam. Instead, they unknowingly install a dropper, which activates a malicious Chrome extension named SnowBelt.
This extension quietly runs in the background, setting up scheduled tasks to ensure it remains active. SnowBelt allows the attackers to communicate through a Python-based backdoor called SnowBasin.
Using a tunneling tool named SnowGlaze, the hackers mask their communications. SnowGlaze manages to funnel all TCP traffic through the infected device, avoiding detection.
Once inside, SnowBasin can execute commands, steal data, and even take screenshots. Notably, the malware can destroy itself at the command of the attackers, making detection harder.
Reports show that UNC6692’s attacks are systematic. After gaining access, they scout the network for services like SMB and RDP, looking for more targets. They can even dump memory to capture credentials and use pass-the-hash techniques to access additional hosts, leading them to critical systems like domain controllers.
Historically, cyber attacks of this nature have been on the rise. A recent survey revealed that 66% of organizations experienced some form of cyber attack in the past year. These statistics underscore the increasing sophistication of cybercriminals and their evolving tactics.
In the end, the attackers extracted sensitive data, including the Active Directory database, using a program called FTK Imager and transferred it through LimeWire, an unusual choice given its reputation. With this data, they gained access to a treasure trove of sensitive information across networks.
This case highlights the importance of cybersecurity awareness. Understanding the tactics hackers use can help organizations and individuals stay alert and protect themselves against potential threats. Mandiant’s report includes indicators of compromise (IoCs) and detection rules for the Snow malware suite, marking an essential step in combating these types of attacks.
