Full Report
Coming in cold with custom Snow malware
Analysis Summary
# Incident Report: UNC6692 Social Engineering & "Snow" Malware Campaign
## Executive Summary
A newly identified threat group, tracked as UNC6692, launched a sophisticated social engineering campaign impersonating help desk personnel via Microsoft Teams. The attackers leveraged a "double-entry" credential harvesting technique and deployed a custom, three-part modular malware suite named "Snow" to establish persistence and tunnel into corporate networks.
## Incident Details
- **Discovery Date:** Late December 2025
- **Incident Date:** Ongoing from late 2025 through April 2026
- **Affected Organization:** Multiple (targeted via "large email campaigns")
- **Sector:** Cross-sector
- **Geography:** Global (utilizing cloud infrastructure like Amazon S3 and Heroku)
## Timeline of Events
### Initial Access
- **Date/Time:** December 2025
- **Vector:** Email Spam/Flood followed by Microsoft Teams Social Engineering.
- **Details:** Attackers flooded targets with email spam to create a "problem." A fake help desk worker then contacted the user via Teams, offering a "Mailbox Repair Utility" link to fix the issue.
### Lateral Movement
- **Mechanics:** Once SnowBasin (bindshell) and SnowGlaze (tunneler) were installed, attackers used administrative commands (`whoami`, `net user`) and WebSocket tunnels to pivot from the initial endpoint into the internal network.
### Data Exfiltration/Impact
- **Impact:** Credentials stolen via a "double-entry" phishing page. Local system metadata and staged files were exfiltrated to attacker-controlled Amazon S3 buckets.
### Detection & Response
- **Discovery:** Spotted by Google Threat Intelligence Group (GTIG) during a large-scale email campaign.
- **Response Actions:** Analysis of the custom "Snow" malware ecosystem and identification of C2 infrastructure.
## Attack Methodology
- **Initial Access:** Social engineering via Microsoft Teams and phishing links.
- **Persistence:** Malicious Chromium extension (SnowBelt) and AutoHotkey scripts.
- **Privilege Escalation:** Not explicitly detailed; likely via stolen credentials.
- **Defense Evasion:** Use of legitimate binaries (AutoHotkey, Python), Base64 encoding/JSON wrapping, and WebSocket tunnels to mimic standard encrypted web traffic.
- **Credential Access:** Phishing page with a "double-entry" trick (rejecting the first two attempts) to ensure password accuracy.
- **Discovery:** Execution of `whoami`, `net user`, and local integrity checks.
- **Lateral Movement:** SnowGlaze creates an authenticated tunnel between the internal network and C2.
- **Collection:** Screenshot capture and data staging via SnowBasin.
- **Exfiltration:** Data sent to attacker-controlled Amazon S3 buckets.
- **Impact:** Complete remote interactive control over infected endpoints.
## Impact Assessment
- **Financial:** Unknown; potential for high loss due to modular nature of the malware.
- **Data Breach:** Compromise of corporate credentials and endpoint metadata.
- **Operational:** Disruption through email flooding and unauthorized remote command execution.
- **Reputational:** High risk due to the impersonation of internal corporate help desks.
## Indicators of Compromise
- **Network Indicators:**
- `hxxps[:]//[s3-bucket-name].s3.amazonaws.com` (Data staging)
- `hxxps[:]//[subdomain].herokuapp.com` (C2 traffic)
- WebSocket traffic disguised as JSON/Base64.
- **File Indicators:**
- `SnowBelt` (Chromium Extension - JS)
- `SnowGlaze` (Python Tunneler)
- `SnowBasin` (Python Bindshell)
- AutoHotkey binaries and scripts.
- **Behavioral Indicators:**
- Unexpected Microsoft Teams invites from external/unverified help desk personas.
- Local HTTP server listening on port 8000.
- Browser extensions named "MS Heartbeat" or "System Heartbeat."
## Response Actions
- **Containment:** Removal of unauthorized browser extensions and termination of Python-based network tunnels.
- **Eradication:** Revocation of compromised credentials and deletion of malicious AutoHotkey scripts.
- **Recovery:** Restoration of mail services and monitoring of internal traffic for WebSocket tunneling.
## Lessons Learned
- **Psychological Tactics:** The "double-entry" phishing technique effectively bypasses user suspicion by masquerading as a "validation error."
- **Platform Abuse:** Microsoft Teams is increasingly being used as a "trusted" alternative to email for social engineering.
- **Modular Malware:** The use of a modular Python/JS suite (Snow) allows attackers to update capabilities without a full redeployment.
## Recommendations
- **User Training:** Educate employees that internal help desks will rarely initiate contact via Teams to request password entry on external sites.
- **Technical Controls:** Restrict the installation of browser extensions to a "Verified" or "Allow-list" only.
- **Network Monitoring:** Implement inspection for long-lived WebSocket connections to uncommon cloud subdomains (e.g., Heroku).
- **Identity Security:** Enforce hardware-based MFA to mitigate the risk of credential harvesting.