A recently uncovered threat activity cluster, designated as UNC6692, has been actively utilizing social engineering tactics through Microsoft Teams. This method is aimed at deploying a sophisticated suite of custom malware onto compromised systems. According to a report released today by Mandiant, a cybersecurity firm owned by Google, UNC6692 mirrors the tactics employed in numerous intrusions from recent years. Primarily, it employs impersonation techniques, posing as IT help desk employees. The attackers convince their chosen victims to accept chat invitations from accounts that are not associated with their own organizations.
The researchers revealed that the emergence of UNC6692 significantly links back to a widespread email campaign. This campaign overwhelms targeted inboxes with a deluge of spam messages to create a false sense of urgency among potential victims. After inundating a target’s email account, the threat actor shifts their method of attack by reaching out through Microsoft Teams with an ostensibly helpful message. They feign being part of the IT support team, purporting to assist with the email bombing incident.
Interestingly, this combination of email inundation followed by impersonation via Microsoft Teams has recently gained traction among former affiliates of the Black Basta ransomware group. Although the group halted its ransomware operations in early 2023, the tactics they previously employed appear to have persisted among other threat actors. A recent report released by ReliaQuest highlighted that this modus operandi targets high-ranking executives and senior employees to secure initial access to corporate networks, with further intentions of data theft and potential lateral movement within the system to deploy ransomware or extort the organization.
In some instances, the intrusions were reported to have direct chats initiated with targets just 29 seconds apart, showcasing the urgency these attackers aim to create. The primary goal of these conversations is to mislead victims into installing legitimate remote monitoring tools such as Quick Assist or Supremo Remote Desktop, which subsequently could provide attackers with hands-on access to systems. They may then exploit this access to drop additional malicious payloads onto the victim’s machine.
Mandiant’s report specifically outlines a unique attack chain employed by UNC6692. Instead of following the anticipated pattern, victims are instructed to click on a phishing link provided in a Teams chat, which purportedly aims to help them address the spam issue. Clicking on this link directs them to a phishing page downloading an AutoHotkey script from a threat actor-controlled AWS S3 bucket. This phishing page is deceptively named “Mailbox Repair and Sync Utility v2.1.5.”
The malicious script, once downloaded, first conducts reconnaissance of the system. It then installs SNOWBELT, a malicious browser extension on the Edge browser using specific commands. The attackers ensure that their payload is delivered only to the intended victims through a carefully crafted gatekeeper script, which helps evade detection by automated security measures. As Mandiant researchers aptly noted, this method illustrates how attackers utilize social engineering, custom malware, and malicious browser extensions to exploit inherent trust in tools widely deployed in corporate environments.
Furthermore, the SNOW malware ecosystem comprises several interconnected tools. SNOWBELT functions as a backdoor, facilitating command execution, while SNOWGLAZE serves as a tunneling mechanism to establish a secure communication line back to the attacker’s command-and-control server. The SNOWBASIN, on the other hand, functions as a persistent backdoor for remote command execution and other malicious activities.
Upon gaining initial access, UNC6692 has been documented to carry out various post-exploitation actions. For instance, they utilize Python scripts to identify open ports across the network, establishing lateral movement through systems, thereby utilizing legitimate administrative protocols. This multifaceted approach not only enhances their chances of succeeding within the network but also increases the complexity of detection for security teams.
As attackers utilize legitimate cloud services for payload delivery and command-and-control infrastructure, the barriers that typical security measures rely on become blurred. This tactic cleverly blends malicious activities with normal enterprise operations, making identification increasingly challenging.
In parallel with this activity, Cato Networks has reported on similar voice phishing schemes employing help desk impersonation via Microsoft Teams to direct victims into executing WebSocket-based trojans, indicating a broader trend in leveraging collaborative platforms for malicious intent. Through this increasing sophistication, cybersecurity firms are strongly urging defenders to treat collaborative tools as prime attack surfaces.
Organizations are encouraged to enforce strict verification protocols for IT support communications, tighten external Teams controls, and enhance security measures around tools like PowerShell to mitigate these advancing threats.
The rise of such malicious activities through platforms like Microsoft Teams has garnered attention from Microsoft itself. The tech giant has issued warnings regarding the use of their collaboration tools by threat actors, emphasizing the importance of vigilance among end-users against such sophisticated techniques.
In summary, the actions of UNC6692 and others like them underscore a troubling evolution in cyber threats, where social engineering merges seamlessly with advanced malware ecosystems, posing significant risks to organizational security.