Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Custom Malware. Show all posts
phishing
Black Basta Ransomware Custom Malware Email Helpdesk Social Engineering Microsoft Teams phishing

UNC6692 Uses Microsoft Teams Impersonation to Deploy SNOW Malware

 



A newly tracked threat cluster identified as UNC6692 has been observed carrying out targeted intrusions by abusing Microsoft Teams, relying heavily on social engineering to deliver a sophisticated and multi-stage malware framework.

According to findings from Mandiant, the attackers impersonate internal IT help desk personnel and persuade employees to accept chat requests originating from accounts outside their organization. This method allows them to bypass traditional email-based phishing defenses by exploiting trust in workplace collaboration tools.

The attack typically begins with a deliberate email bombing campaign, where the victim’s inbox is flooded with large volumes of spam messages. This is designed to create confusion and urgency. Shortly after, the attacker initiates contact through Microsoft Teams, posing as technical support and offering assistance to resolve the email issue.

This combined tactic of inbox flooding followed by help desk impersonation is not entirely new. It has previously been linked to affiliates of the Black Basta ransomware group. Although that group ceased operations, the continued use of this playbook demonstrates how effective intrusion techniques often persist beyond the lifespan of the original actors.

Separate research published by ReliaQuest shows that these campaigns are increasingly focused on senior personnel. Between March 1 and April 1, 2026, 77% of observed incidents targeted executives and high-level employees, a notable increase from 59% earlier in the year. In some cases, attackers initiated multiple chat attempts within seconds, intensifying pressure on the victim to respond.

In many similar attacks, victims are convinced to install legitimate remote monitoring and management tools such as Quick Assist or Supremo Remote Desktop, which are then misused to gain direct system control. However, UNC6692 introduces a variation in execution.

Instead of deploying remote access software immediately, the attackers send a phishing link through Teams. The message claims that the link will install a patch to fix the email flooding problem. When clicked, the link directs the victim to download an AutoHotkey script hosted on an attacker-controlled Amazon S3 bucket. The phishing interface is presented as a tool named “Mailbox Repair and Sync Utility v2.1.5,” making it appear legitimate.

Once executed, the script performs initial reconnaissance to gather system information. It then installs a malicious browser extension called SNOWBELT on Microsoft Edge. This is achieved by launching the browser in headless mode and using command-line parameters to load the extension without user visibility.

To reduce the risk of detection, the attackers use a filtering mechanism known as a gatekeeper script. This ensures that only intended victims receive the full payload, helping evade automated security analysis environments. The script also verifies whether the victim is using Microsoft Edge. If not, the phishing page displays a persistent warning overlay, guiding the user to switch browsers.

After installation, SNOWBELT enables the download of additional malicious components, including SNOWGLAZE, SNOWBASIN, further AutoHotkey scripts, and a compressed archive containing a portable Python runtime with required libraries.

The phishing page also includes a fake configuration panel with a “Health Check” option. When users interact with it, they are prompted to enter their mailbox credentials under the assumption of authentication. In reality, this information is captured and transmitted to another attacker-controlled S3 storage location.

The SNOW malware framework operates as a coordinated system. SNOWBELT functions as a JavaScript-based backdoor that receives instructions from the attacker and forwards them for execution. SNOWGLAZE acts as a tunneling component written in Python, establishing a secure WebSocket connection between the compromised machine and the attacker’s command-and-control infrastructure. SNOWBASIN provides persistent remote access, allowing command execution through system shells, capturing screenshots, transferring files, and even removing itself when needed. It operates by running a local HTTP server on ports 8000, 8001, or 8002.

Once inside the network, the attackers expand their control through a series of post-exploitation activities. They scan for commonly used network ports such as 135, 445, and 3389 to identify opportunities for lateral movement. Using the SNOWGLAZE tunnel, they establish remote sessions through tools like PsExec and Remote Desktop.

Privilege escalation is achieved by extracting sensitive credential data from the system’s LSASS process, a critical Windows component responsible for storing authentication information. Attackers then use the Pass-the-Hash technique, which allows them to authenticate across systems using stolen password hashes without needing the actual passwords.

To extract valuable data, they deploy tools such as FTK Imager to capture sensitive files, including Active Directory databases. These files are staged locally before being exfiltrated using file transfer utilities like LimeWire.

Mandiant researchers note that this campaign reflects an evolution in attack strategy by combining social engineering, custom malware, and browser-based persistence mechanisms. A key element is the abuse of trusted cloud platforms for hosting malicious payloads and managing command-and-control operations. Because these services are widely used and trusted, malicious traffic can blend in with legitimate activity, making detection more difficult.

A related campaign reported by Cato Networks underlines similar tactics, where attackers use voice-based phishing within Teams to guide victims into executing a PowerShell script that deploys a WebSocket-based backdoor known as PhantomBackdoor.

Security experts emphasize that collaboration platforms must now be treated as primary attack surfaces. Controls such as verifying help desk communications, restricting external access, limiting screen sharing, and securing PowerShell execution are becoming essential defenses.

Microsoft has also warned that attackers are exploiting cross-organization communication within Teams to establish remote access using legitimate support tools. After initial compromise, they conduct reconnaissance, deploy additional payloads, and establish encrypted connections to their infrastructure.

To maintain persistence, attackers may deploy fallback remote management tools such as Level RMM. Data exfiltration is often carried out using synchronization tools like Rclone. They may also use built-in administrative protocols such as Windows Remote Management to move laterally toward high-value systems, including domain controllers.

These intrusion chains rely heavily on legitimate software and standard administrative processes, allowing attackers to remain hidden within normal enterprise activity across multiple stages of the attack lifecycle.

Read more »
Telecom Firms
Backdoor Custom Malware Cyber Attacks Security Researchers Telecom Firms

State-Backed Harvester Group is Going After Telecommunications Providers

 

Researchers discovered a previously unidentified state-sponsored actor that appears to be conducting cyberattacks against South Asian telecommunications companies and IT corporations using a unique combination of technologies. The goal of the cybercrime gang is considered to be data collection. They use highly focused espionage efforts that target IT, telecom, and government organizations. Harvester is a new threat actor with no known adversaries, as the attacker's damaging tools have never been encountered before in the wild.

"The Harvester group uses both custom malware and publicly available tools in its attacks, which began in June 2021, with the most recent activity seen in October 2021. Sectors targeted include telecommunications, government, and information technology (IT)," Symantec researchers said. "The capabilities of the tools, their custom development, and the victims targeted, all suggest that Harvester is a nation-state-backed actor."

Backdoor appears to be used by the attackers. Metasploit, Graphon, Custom Downloader, Custom Screenshotter, Cobalt Strike Beacon are some of them. Although Symantec researchers were unable to determine the initial attack vector, evidence of a malicious URL being exploited for that purpose was identified.

By blending command-and-control (C2) communication activity with actual network traffic from CloudFront and Microsoft infrastructure, the Graphon backdoor gives the attackers remote network access and covers their existence. The custom downloader's functionality is impressive, as it can create critical system files, add a registry value for a new load-point, and start an embedded web browser at hxxps:/usedust[.]com.

Despite the fact that it appears to be the Backdoor, the actors are only using the URL as a ruse to create confusion, but Graphon is being retrieved from this address. The custom screenshot application captures screenshots of the desktop and saves them to a password-protected ZIP folder, which Graphon then steals. Each ZIP file is kept for a week before being automatically deleted. 

While there isn't enough proof to link Harvester's activities to a single nation-state, the group's use of custom backdoors, intensive efforts to conceal its harmful activity, and targeting all point to it being a state-sponsored actor, according to Symantec researchers. Given the recent upheaval in Afghanistan, the campaign's targeting of organizations in that nation is also intriguing. Harvester's activities make it evident that the goal of this campaign is espionage, which is a common incentive for nation-state-backed action, the researchers added.
Read more »
Window Domains
Backdoor Custom Malware malware Nobelium APT Window Domains

Nobelium APT Group Uses Custom Backdoor to Target Windows Domains

 

Researchers from Microsoft Threat Intelligence Center (MSTIC) identified FoggyWeb, a new custom malware utilized by the Nobelium APT group to distribute further payloads and steal critical information from Active Directory Federation Services (AD FS) servers. 

FoggyWeb is a post-exploitation backdoor utilized by the APT group to remotely exfiltrate the setup databases of affected Active Directory Federation Services (AD FS) servers, as well as the decrypted token-signing and token-decryption certificates. It also enables threat actors to download and execute additional elements. 

The analysis published by Microsoft stated, “Once NOBELIUM obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools. NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components.” 

“Use of FoggyWeb has been observed in the wild as early as April 2021.” 

The hackers load FoggyWeb from the encrypted file Windows.Data.TimeZones.zh-PH.pri using the version.dll DLL. The version.dll is loaded by the AD FS service executable 'Microsoft.IdentityServer.ServiceHost.exe' via the DLL search order hijacking approach, which involves the core Common Language Runtime (CLR) DLL files. 

To decrypt the backdoor directly in memory, the loader employs a proprietary Lightweight Encryption Algorithm (LEA) function. The backdoor sets up HTTP listeners for actor-defined URIs in order to intercept GET/POST requests to the AD FS server that match the custom URI patterns. 

Microsoft researchers offered the following advice to companies that have been affected or are suspected of being under attack by the group: 
  • Examine your on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules, and any other modifications made by the actor to retain their access. 
  • Remove user and app access, evaluate each's settings, and re-issue fresh, strong credentials in accordance with established industry best practices. 
  • To prevent the exfiltration of secrets via FoggyWeb, use a hardware security module (HSM), as explained in Securing AD FS servers. 
The NOBELIUM APT is the threat actor behind the SolarWinds supply chain assault, which included various implant families such as the SUNBURST backdoor, TEARDROP malware, GoldMax malware, Sibot, and GoldFinder backdoors. 

NOBELIUM focuses on government agencies, non-governmental organizations (NGOs), think tanks, military, information technology service providers, health technologies and research, and telecommunications providers.
Read more »
Subscribe to: Posts (Atom)