The newly identified threat actor UNC6692 is leveraging Microsoft Teams and sophisticated social engineering to deploy a custom malware suite, targeting corporate networks through IT help desk impersonation.

Key Points

• UNC6692 uses email spam floods to create urgency before contacting victims via Microsoft Teams to pose as IT support.
• The attack chain utilizes a phishing page disguised as a "Mailbox Repair and Sync Utility" to deliver malicious AutoHotkey scripts.
• The custom "SNOW" malware ecosystem includes SNOWBELT for browser-based backdoors, SNOWGLAZE for network tunneling, and SNOWBASIN for remote command execution.
• Attackers host malicious payloads on trusted AWS S3 buckets to bypass security filters and blend into legitimate cloud traffic.
• Post-exploitation activities include credential harvesting, lateral movement via Pass-The-Hash, and data exfiltration using tools like LimeWire.

Why it Matters

This campaign highlights a growing trend where attackers exploit trust in enterprise collaboration tools and legitimate cloud services to bypass traditional security perimeters. By mimicking internal IT support, these actors effectively target senior employees to gain high-level network access for data theft and ransomware deployment.