- Google identifies a new threat group, UNC6692, that uses spam floods and fake IT support messages via Microsoft Teams to trick victims
- Targets were lured to a landing page that harvested credentials and implemented a three-part snow-themed malware framework
- The toolkit includes a persistence-focused browser extension, a tunneling tool for data exfiltration, and a backdoor that enables full endpoint takeover
Google has sounded the alarm about a previously undocumented threat actor group using brazen social engineering tactics to deploy a trilogy of malware.
In an in-depth report, Google said it saw UNC6692 — apparently a new collective — bombard target email inboxes with countless spam messages in a short time frame.
Shortly after, they would contact the owner of that inbox via Microsoft Teams through the cross-tenant feature and introduce themselves as IT/helpdesk officials. They would say they were on a mission to fix the spam problem and would share a link to a landing page where the purported fix can be found.
The article continues below
The ‘Snow’ frame
Victims who follow the link are first asked to perform a “health check” by clicking a button on the page, which asks the user to authenticate using their email and password, which is then transmitted to the attackers’ servers.
Google also noted that the login attempt never works on the first try – which is a deliberate attempt to increase perceived legitimacy and ensure victims don’t share a fake or misspelled password.
After “logging in”, the site then performs an “email integrity check”, which is just a cover for what’s going on in the background – the deployment of a malware framework consisting of three elements.
“By the time the user receives the ‘Configuration Successful’ message, the attacker has secured the credentials and potentially established a persistent foothold on the endpoint using these staged files,” Google said in the report.
The framework is themed around snow and contains three tools: SnowBelt, SnowGlaze and SnowBasin.
The first is a Chromium-based extension that establishes persistence via the browser’s extension registration system. The extensions are often called “MS Heartbeat” or “System Heatbeat”.
The second is a tunneler that creates an authenticated WebSocket tunnel that enables easy communication and possible data extraction. The third is a backdoor that allows full endpoint takeover.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
