- Google identifies a new threat group, UNC6692, that uses spam floods and fake IT support messages through Microsoft Teams to trick victims.
- Targets were lured to a landing page that collected credentials and deployed a three-part snow-themed malware framework.
- The toolkit includes a persistence-focused browser extension, a tunneling tool for data exfiltration, and a backdoor that enables full endpoint acquisition.
Google has raised the alarm about a group of previously undocumented threat actors using brazen social engineering tactics to deploy a trilogy of malware.
In a detailed report, Google said it saw UNC6692, apparently a new collective, bombard target email inboxes with countless spam messages in a short period of time.
Shortly after, they would contact the owner of that inbox through Microsoft Teams, via the cross-tenant feature, and introduce themselves as IT/helpdesk officials. They would say they were tasked with solving the spam problem and would share a link to a landing page where the supposed solution can be found.
Article continues below.
The ‘snow’ frame
Victims who follow the link are first asked to perform a “status check” by clicking a button on the page that prompts the user to authenticate using their email and password, which are then diverted to the attackers’ servers.
Google also noted that the login attempt never works on the first attempt, which is a deliberate attempt to increase perceived legitimacy and ensure that victims do not share a fake or typo password.
After you “log in”, the page performs an “email integrity check”, which is just a cover for what happens in the background: the implementation of a malware framework consisting of three elements.
“When the user receives a ‘Setup completed successfully’ message, the attacker has secured the credentials and potentially established a persistent foothold on the endpoint using these prepared files,” Google said in the report.
The framework is snow-themed and contains three tools: SnowBelt, SnowGlaze, and SnowBasin.
The first is a Chromium-based extension that establishes persistence through the browser’s extension registration system. The extensions are often called “MS Heartbeat” or “System Heatbeat.”
The second is a tunneler that creates an authenticated WebSocket tunnel, allowing for easy communication and possible data extraction. The third is a backdoor that allows full acquisition of the endpoint.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
