UNC6692 Exploits Microsoft Teams Helpdesk Impersonation to Deploy SNOW Malware

April 24, 2026 Faeem BLOGS 0

Overview A newly identified threat cluster, UNC6692, is leveraging Microsoft Teams impersonation of IT helpdesk staff to trick victims into installing malicious payloads. The campaign combines email bombing with Teams-based social engineering, ultimately delivering a modular malware suite dubbed SNOW.

Key Highlights

  • Initial Access:
    • Victims overwhelmed with spam emails.
    • Threat actor impersonates IT support via Teams, offering “help.”
  • Attack Chain:
    • Phishing link → AutoHotkey script from AWS S3.
    • Installs SNOWBELT (malicious Edge extension).
    • SNOWBELT downloads additional modules: SNOWGLAZE, SNOWBASIN, Python executables.
  • Malware Components:
    • SNOWBELT: JavaScript backdoor, relays commands.
    • SNOWGLAZE: Python tunneler, creates secure WebSocket C2 channel.
    • SNOWBASIN: Persistent backdoor, enables RCE, file transfer, screenshots, and runs as local HTTP server.

Post-Exploitation Actions

  • Reconnaissance: Scans for ports 135, 445, 3389.
  • Lateral Movement: PsExec sessions, RDP tunneling via SNOWGLAZE.
  • Privilege Escalation: LSASS memory extraction, Pass‑The‑Hash to domain controllers.
  • Data Theft: FTK Imager used to capture Active Directory database; exfiltrated via LimeWire file upload tool.
  • Persistence: RMM tools (Quick Assist, Supremo, Level RMM) and Rclone for data exfiltration.

Risks to Enterprises

  • Target Profile: 77% of incidents aimed at senior executives (March–April 2026).
  • Cloud Service Abuse: Payloads hosted on AWS S3; exfiltration via trusted cloud platforms.
  • Collaboration Tool Exploitation: Microsoft Teams leveraged as a phishing and delivery vector.
  • Stealth: Legitimate apps (RMM, PowerShell, Rclone) abused to blend into normal enterprise activity.

Defensive Guidance

  • Treat Collaboration Tools as Attack Surfaces: Enforce verification workflows for helpdesk requests.
  • Restrict External Teams Access: Tighten cross‑tenant communication and screen‑sharing controls.
  • Harden PowerShell: Apply execution policies and monitoring.
  • Monitor for Indicators:
    • SNOWBELT extension activity in Edge.
    • Local HTTP servers on ports 8000–8002.
    • Suspicious RMM installations and Rclone usage.
  • Cloud Traffic Analysis: Inspect AWS S3 and other cloud service usage for anomalies.

Final Thought

UNC6692 demonstrates how social engineering combined with cloud service abuse can bypass traditional defenses. By impersonating IT helpdesk staff in Microsoft Teams, attackers exploit trust in enterprise collaboration tools to deliver modular malware. For defenders, the lesson is clear: collaboration platforms must be treated as critical attack surfaces, with verification, monitoring, and strict controls applied to external communications.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.