Snow Malware via Microsoft Teams: A Comprehensive Analysis
- Executive Summary
- A threat group tracked as UNC6692 has introduced a custom malware suite named “Snow.”
- The bundle includes a browser extension (SnowBelt), a tunneler (SnowGlaze), and a backdoor (SnowBasin).
- The operators rely on social engineering and targeted outreach via Microsoft Teams after initial email-based pressure tactics.
- The ultimate objective is credential theft, domain takeover, and data exfiltration once deep access to a network is achieved.
- Delivery Vector and Initial Access
- The attacker leverages an “email bombing” approach to create urgency and compel outreach.
- Targets are contacted through Microsoft Teams, posing as IT helpdesk agents to gain trust and bypass skepticism.
- Victims are prompted to click a link under the guise of installing a patch that supposedly blocks email spam.
- The clicked link triggers the installation of a dropper that runs AutoHotkey scripts to load SnowBelt, the Chrome extension component of the malware.
- The Snow Toolchain: Roles and Interactions
- SnowBelt: A browser extension that serves as a persistence and delivery mechanism within the browser environment.
- SnowGlaze: A tunneler that establishes a WebSocket-based channel to mask communications between the infected host and the operator’s C2 infrastructure; it also enables SOCKS proxy functionality to forward arbitrary TCP traffic.
- SnowBasin: A Python-based backdoor that runs a local HTTP server, executes attacker-provided CMD or PowerShell commands, and relays results back through the same tunnel.
- Together, SnowBelt, SnowGlaze, and SnowBasin form a coordinated toolset designed for stealthy command execution, data exfiltration, and remote control.
- Persistence and Evasion Techniques
- The browser extension runs in a headless Microsoft Edge instance, leaving little user-visible activity to alert the user.
- Persistence is achieved via scheduled tasks and a startup folder shortcut, ensuring the malware reboots with the system.
- SnowBelt acts as a gateway for ongoing control, while SnowGlaze’s tunneling helps obscure the operator’s traffic from standard monitoring.
- Command and Control Architecture
- Communications are channeled through a WebSocket tunnel established by SnowGlaze, concealing instructions from casual observation.
- SnowGlaze supports SOCKS proxy operations, enabling the attacker to route arbitrary TCP traffic through the compromised host.
- SnowBasin executes commands locally and reports results back through the same secure pathway to the operator.
- Capabilities of the SnowBackdoor
- Remote shell access to the infected system.
- Data exfiltration and file download capabilities for exfiltrating sensitive materials.
- Screen capture and basic file management operations for reconnaissance.
- Self-termination capability to shut down the backdoor if commanded by the operator.
- Lateral Movement and Internal Reconnaissance
- Post-compromise activity includes internal reconnaissance to identify services such as SMB and RDP for further expansion.
- The attackers perform credential dumping (e.g., LSASS memory) and use pass-the-hash techniques to authenticate to additional hosts.
- The objective is to reach domain controllers to consolidate control over the network.
- Credential Access, Exfiltration, and Data Targets
- The operation culminates in the extraction of the Active Directory database and sensitive registry hives (SYSTEM, SAM, SECURITY) using FTK Imager.
- Exfiltration of these sensitive data sets occurs via an unusual channel (the report notes use of LimeWire for data exfiltration, highlighting out-of-band data movement).
- The resulting access enables broader domain compromise and potential long-term persistence across the organization’s network.
- Indicators of Compromise and Detection Aids
- The threat framework provides detailed IoCs associated with Snow and its components.
- YARA rules are included to help defenders identify SnowBelt, SnowGlaze, and SnowBasin artifacts on endpoints and within networks.
- Security teams can focus on anomalous startup items, scheduled tasks, browser extension activity, and unusual WebSocket-based tunnels as starting points for investigation.
- Observations and Implications
- The use of Microsoft Teams for helpdesk impersonation is a growing tactic in the threat landscape, expanding the social engineering playbook beyond email.
- A headless browser approach (Edge) minimizes user-visibility of malicious activity, increasing the likelihood of successful execution.
- The integration of a tunneler and proxy capabilities gives attackers flexible, resilient channels for C2 and data movement, complicating network detection.
- In-depth post-compromise behavior (credential dumping, domain-level traversal, and AD data exfiltration) demonstrates a mature objective of long-term access and control rather than short-lived opportunistic theft.
- Related Context and References
- The UNC6692 operation is described as leveraging social engineering to drop a multi-component malware kit into targeted environments.
- The Snow ecosystem—comprising SnowBelt, SnowGlaze, and SnowBasin—illustrates a modular approach: user-facing deception, covert tunneling, and a potent backdoor for remote execution.
- Observations align with broader trends of impersonation-based access attempts via enterprise collaboration platforms and the ongoing risks associated with credential dumping and lateral movement in Active Directory environments.
- Final Notes on the Snow Campaign
- The Snow toolset represents a cohesive, multi-layered intrusion framework designed to achieve initial foothold, persistence, deep reconnaissance, and broad data exfiltration.
- Defenders are advised to examine collaboration platform abuse patterns, enforce strong patch management, monitor for headless browser sessions, and implement robust credential and endpoint monitoring to detect and disrupt such campaigns at multiple stages.
