CP
cyberpings

New Snow Malware Deployed via Microsoft Teams Phishing Attack

A new malware suite called Snow is being deployed by UNC6692 through Microsoft Teams. This malware targets sensitive data using social engineering tactics. Organizations should be vigilant and take protective measures against potential infections.

Malware & RansomwareHIGHUpdated: Published:
Featured image for New Snow Malware Deployed via Microsoft Teams Phishing Attack

Original Reporting

BCBleepingComputer·Bill Toulas

AI Summary

CyberPings AI·Reviewed by Rohit Rana

🎯Basically, a hacker group tricks people using Microsoft Teams to install harmful software that steals information.

What Happened

A threat group known as UNC6692 has developed a new malware suite named Snow, which they deploy using social engineering tactics via Microsoft Teams. This malware includes a browser extension, a tunneler, and a backdoor, all aimed at stealing sensitive data after compromising networks through credential theft and domain takeover.

How It Works

The attackers employ email bombing tactics to create a sense of urgency among their targets. They contact victims through Microsoft Teams, posing as IT helpdesk agents. Victims are tricked into clicking a link that appears to be a patch to block email spam. Instead, they download a dropper that executes AutoHotkey scripts to load the malicious Chrome extension known as SnowBelt.

The SnowBelt extension operates silently on a headless instance of Microsoft Edge, creating scheduled tasks and shortcuts for persistence. It serves as a relay for commands sent to a Python-based backdoor called SnowBasin. This setup allows attackers to execute commands remotely, exfiltrate data, and manage files on the infected system.

Who's Being Targeted

The primary targets of this attack are organizations that utilize Microsoft Teams for communication. The attackers conduct internal reconnaissance to identify additional targets within the network, including services like SMB and RDP.

Signs of Infection

Organizations should be aware of unusual activities such as:

🔴

Unexpected prompts for

Unexpected prompts for software installations via Teams.

🟡

Unrecognized browser extensions

Unrecognized browser extensions installed on user devices.

🟠

Increased network traffic

Increased network traffic directed to unknown external addresses.

How to Protect Yourself

To mitigate the risk of infection from the Snow malware:

Detection

  • 1.Educate employees about social engineering tactics and phishing attempts.
  • 2.Implement robust email filtering to reduce spam and phishing emails.

What to Watch

Mandiant has provided extensive indicators of compromise (IoCs) and YARA rules to help organizations detect the Snow malware suite. As the threat landscape evolves, vigilance and proactive measures are essential to safeguard sensitive data from similar attacks.

🔒 Pro Insight

🔒 Pro insight: The use of Microsoft Teams for malware distribution highlights a growing trend in leveraging trusted platforms for social engineering attacks.

BCBleepingComputer· Bill Toulas
Read Original

Share

Related Pings

Preview image for Malware - Hackers Steal Telegram Sessions via PowerShell Script
Malware & Ransomware
HIGH

Malware - Hackers Steal Telegram Sessions via PowerShell Script

A new PowerShell script on Pastebin is designed to steal Telegram session data. Users are at high risk if they execute this disguised malware. Immediate action is advised to secure accounts.

CSCyber Security News
Read PingRead Source
Preview image for Tropic Trooper - New Trojanized SumatraPDF Campaign Uncovered
Malware & Ransomware
HIGH

Tropic Trooper - New Trojanized SumatraPDF Campaign Uncovered

A new campaign by Tropic Trooper uses a trojanized version of SumatraPDF to deploy the AdaptixC2 malware. This targets Chinese-speaking individuals for remote access. Users should be cautious and ensure their software is secure.

THThe Hacker News
Read PingRead Source
Preview image for Fast16 Malware - Newly Deciphered Threat to Iran's Nuclear Program
Malware & Ransomware Widely Reported (4 sources)
HIGH

Fast16 Malware - Newly Deciphered Threat to Iran's Nuclear Program

Fast16 malware, a sophisticated tool for sabotaging Iran's nuclear program, has been uncovered by researchers. Its ability to introduce errors in critical engineering software poses significant risks.

WRWired Security+3 more
Read PingRead Source
Preview image for Trigona Ransomware - Custom Tool Steals Data Efficiently
Malware & Ransomware
HIGH

Trigona Ransomware - Custom Tool Steals Data Efficiently

Trigona ransomware has developed a custom tool for efficient data theft, targeting sensitive documents and demonstrating a sophisticated approach to cybercrime.

BCBleepingComputer+1 more
Read PingRead Source
Preview image for UNC6692 - Impersonates IT Helpdesk to Deploy SNOW Malware
Malware & Ransomware
HIGH

UNC6692 - Impersonates IT Helpdesk to Deploy SNOW Malware

UNC6692 is leveraging Microsoft Teams and social engineering to deploy a new malware suite called SNOW, targeting senior employees for data theft and domain takeover.

THThe Hacker News+1 more
Read PingRead Source
Preview image for Cisco Firepower Devices Targeted by UAT-4356 - Alert
Malware & Ransomware Widely Reported (6 sources)
HIGH

Cisco Firepower Devices Targeted by UAT-4356 - Alert

Cisco Firepower devices are under active threat from UAT-4356, which exploits critical vulnerabilities to deploy the FIRESTARTER backdoor. This malware poses significant risks, including unauthorized access and persistent control over compromised networks.

TACisco Talos Intelligence+5 more
Read PingRead Source