#1
#1 out of 196.43%
technology3h ago
Threat actor uses Microsoft Teams to deploy new “Snow” malware
- UNC6692 reportedly uses social engineering and Microsoft Teams to deliver a new malware suite named Snow.
- SnowBelt acts as a persistence and relay mechanism for commands to a Python-based backdoor, SnowBasin.
- SnowGlaze creates a WebSocket tunnel to mask communications with the C2 infrastructure and supports SOCKS proxy operations.
- The operators conducted internal reconnaissance and moved laterally after compromising credentials and domain controllers.
- Credential dumping and pass-the-hash were used to authenticate to more hosts and reach domain controllers.
- SnowBasin can exfiltrate data and execute attacker-supplied commands via a local HTTP server.
- SnowBelt and SnowGlaze enable extended capabilities like remote shell, file management, and data exfiltration.
- The campaign includes the use of patch-themed lure links to deploy malware dropper.
- The operation targets Microsoft environments, including domain controllers and Active Directory data.
- Mandiant reports the use of email bombing and Teams-based impersonation as key tactics.
- Experts note a growing trend in using legitimate collaboration tools for ongoing cybercrime.
Vote 0