Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Helpdesk Social Engineering. Show all posts
phishing
Black Basta Ransomware Custom Malware Email Helpdesk Social Engineering Microsoft Teams phishing

UNC6692 Uses Microsoft Teams Impersonation to Deploy SNOW Malware

 



A newly tracked threat cluster identified as UNC6692 has been observed carrying out targeted intrusions by abusing Microsoft Teams, relying heavily on social engineering to deliver a sophisticated and multi-stage malware framework.

According to findings from Mandiant, the attackers impersonate internal IT help desk personnel and persuade employees to accept chat requests originating from accounts outside their organization. This method allows them to bypass traditional email-based phishing defenses by exploiting trust in workplace collaboration tools.

The attack typically begins with a deliberate email bombing campaign, where the victim’s inbox is flooded with large volumes of spam messages. This is designed to create confusion and urgency. Shortly after, the attacker initiates contact through Microsoft Teams, posing as technical support and offering assistance to resolve the email issue.

This combined tactic of inbox flooding followed by help desk impersonation is not entirely new. It has previously been linked to affiliates of the Black Basta ransomware group. Although that group ceased operations, the continued use of this playbook demonstrates how effective intrusion techniques often persist beyond the lifespan of the original actors.

Separate research published by ReliaQuest shows that these campaigns are increasingly focused on senior personnel. Between March 1 and April 1, 2026, 77% of observed incidents targeted executives and high-level employees, a notable increase from 59% earlier in the year. In some cases, attackers initiated multiple chat attempts within seconds, intensifying pressure on the victim to respond.

In many similar attacks, victims are convinced to install legitimate remote monitoring and management tools such as Quick Assist or Supremo Remote Desktop, which are then misused to gain direct system control. However, UNC6692 introduces a variation in execution.

Instead of deploying remote access software immediately, the attackers send a phishing link through Teams. The message claims that the link will install a patch to fix the email flooding problem. When clicked, the link directs the victim to download an AutoHotkey script hosted on an attacker-controlled Amazon S3 bucket. The phishing interface is presented as a tool named “Mailbox Repair and Sync Utility v2.1.5,” making it appear legitimate.

Once executed, the script performs initial reconnaissance to gather system information. It then installs a malicious browser extension called SNOWBELT on Microsoft Edge. This is achieved by launching the browser in headless mode and using command-line parameters to load the extension without user visibility.

To reduce the risk of detection, the attackers use a filtering mechanism known as a gatekeeper script. This ensures that only intended victims receive the full payload, helping evade automated security analysis environments. The script also verifies whether the victim is using Microsoft Edge. If not, the phishing page displays a persistent warning overlay, guiding the user to switch browsers.

After installation, SNOWBELT enables the download of additional malicious components, including SNOWGLAZE, SNOWBASIN, further AutoHotkey scripts, and a compressed archive containing a portable Python runtime with required libraries.

The phishing page also includes a fake configuration panel with a “Health Check” option. When users interact with it, they are prompted to enter their mailbox credentials under the assumption of authentication. In reality, this information is captured and transmitted to another attacker-controlled S3 storage location.

The SNOW malware framework operates as a coordinated system. SNOWBELT functions as a JavaScript-based backdoor that receives instructions from the attacker and forwards them for execution. SNOWGLAZE acts as a tunneling component written in Python, establishing a secure WebSocket connection between the compromised machine and the attacker’s command-and-control infrastructure. SNOWBASIN provides persistent remote access, allowing command execution through system shells, capturing screenshots, transferring files, and even removing itself when needed. It operates by running a local HTTP server on ports 8000, 8001, or 8002.

Once inside the network, the attackers expand their control through a series of post-exploitation activities. They scan for commonly used network ports such as 135, 445, and 3389 to identify opportunities for lateral movement. Using the SNOWGLAZE tunnel, they establish remote sessions through tools like PsExec and Remote Desktop.

Privilege escalation is achieved by extracting sensitive credential data from the system’s LSASS process, a critical Windows component responsible for storing authentication information. Attackers then use the Pass-the-Hash technique, which allows them to authenticate across systems using stolen password hashes without needing the actual passwords.

To extract valuable data, they deploy tools such as FTK Imager to capture sensitive files, including Active Directory databases. These files are staged locally before being exfiltrated using file transfer utilities like LimeWire.

Mandiant researchers note that this campaign reflects an evolution in attack strategy by combining social engineering, custom malware, and browser-based persistence mechanisms. A key element is the abuse of trusted cloud platforms for hosting malicious payloads and managing command-and-control operations. Because these services are widely used and trusted, malicious traffic can blend in with legitimate activity, making detection more difficult.

A related campaign reported by Cato Networks underlines similar tactics, where attackers use voice-based phishing within Teams to guide victims into executing a PowerShell script that deploys a WebSocket-based backdoor known as PhantomBackdoor.

Security experts emphasize that collaboration platforms must now be treated as primary attack surfaces. Controls such as verifying help desk communications, restricting external access, limiting screen sharing, and securing PowerShell execution are becoming essential defenses.

Microsoft has also warned that attackers are exploiting cross-organization communication within Teams to establish remote access using legitimate support tools. After initial compromise, they conduct reconnaissance, deploy additional payloads, and establish encrypted connections to their infrastructure.

To maintain persistence, attackers may deploy fallback remote management tools such as Level RMM. Data exfiltration is often carried out using synchronization tools like Rclone. They may also use built-in administrative protocols such as Windows Remote Management to move laterally toward high-value systems, including domain controllers.

These intrusion chains rely heavily on legitimate software and standard administrative processes, allowing attackers to remain hidden within normal enterprise activity across multiple stages of the attack lifecycle.

Read more »
supply chain attacks
Crypto-Funded Crime Cyber Extortion cyber threat Data Exfiltration Helpdesk Social Engineering Insider Threats Ransomware Retail Cyber Resilience supply chain attacks

Ransomware Profits Shrink Forcing Criminal Gangs to Innovate

 


Ransomware networks are increasingly using unconventional recruitment channels to recruit new operators. Using blatant job-style announcements online, these networks are enlisting young, inexperienced operators with all sorts of job experience in order to increase their payouts. 

There is a Telegram post from a channel that is connected to an underground collective that emphasizes the importance of female applicants, dismissing nationality barriers and explicitly welcoming people who have no previous experience in recruitment, with the promise to train recruits “from scratch” while emphasizing the expectation that they will learn rapidly.

In return, the position was advertised as being available during weekdays between 12 p.m. and 6 p.m. Eastern Time and being compensated $300 per successful call, which is paid out exclusively in cryptocurrency. It was far from a legitimate job offer, but it served as a gateway into a thriving criminal ecosystem known as The Community or The Com, a loosely connected group of about 1,000 individuals, many of whom are children in middle and high school. 

In order to operate, the network relies on fluid, short-lived alliances, constantly reshaping its structure in what cybersecurity researcher Allison Nixon calls an "infernal soup" of overlapping partnerships, which recur continuously. 

In the years since 2022, the collective and its evolving offshoots have carried out sustained intrusion campaigns against large corporations across the United States and the United Kingdom that have been referred to by previously referred to as Scattered Spider, ShinyHunters, Lapsus$, SLSH, and many others, among others. 

It is estimated that these sort of attacks, which include data breaches, credential theft, account takeovers, spear phishing, and digital extortion, may have compromised companies with a market value of more than $1 trillion. It is estimated that these sort of attacks, which include data breaches, credential theft, account takeovers, spear phishing, and digital extortion, may have compromised companies with a market value of more than $1 trillion. 

In the coming weeks, Silent Push will unveil a new research report based on cyber intelligence research conducted by Silent Push, Silent Push's partner firm Silent Push's affiliate Silent Push. Legal documents indicate that at least 120 organizations, as well as 120 brands, have been targeted, ranging from the worldwide giant Chick-fil-A, to the global giants of Instacart, Louis Vuitton, Morningstar, News Corporation, Nike, Tinder, T-Mobile, T-Mobile, Vodafone, and T-Mobile, Vodafone among others. 

This indicates that modern ransomware crime rings have undergone a major shift in both their operational strategy as well as the talent pool they utilize. In a world where profit margins are tightening, ransomware operations are changing, forcing threat actors to choose their victims with greater deliberateness and design attack models that are increasingly engineered. 

According to Coveware, the analysis division within Veeam, ransomware campaigns are no longer driven by broad, opportunistic targeting, but rather by pressure to extract leverage through precision and psychological manipulation in order to gain a competitive edge. There was a stark shift in corporate behavior during the third quarter that signaled a dramatic change in behavior in the ransomware industry. 

The proportion of victims paying ransoms fell below 25 percent for the first time ever in the history of ransomware tracking. However, when payments were made, they reflected a contraction that was unprecedented — an average of $376,941 with a median payout of $140,000. This represents a two-thirds decline from the previous quarter. 

There has been a decline in trust among major enterprises as a result of the downturn, particularly around the claim that stolen data would be permanently deleted after payment. This skepticism has had a material negative impact on exfiltration-only extortion, which has been reduced by 19 percent in ransom compliance. 

According to industry researchers, the financial strain has fractured the ransomware economy, resulting in 81 unique data-leak sites being recorded in Q3, the highest number to date, as emerging groups fill the void left by larger syndicates exiting the arena, following suit with their own ransomware campaigns. 

In spite of this dispersion, targeted groups have developed an erratic targeting behavior, drawing markets that were previously considered peripheral, including Southeast Asia, such as Thailand, and Thailand in particular. Especially recently, attackers have targeted midsize organizations that are lacking the financial resilience to weather sustained disruption – such as Russian-speaking crews like Akira and Qilin – even if they cannot meet multimillion-dollar demands that are being demanded. 

It is not only about victim realignment; operators are also exploring a broad range of revenue-enhancement strategies, including insider recruitment and bribery, social engineering on the helpdesk, supply chain compromise, and callback phishing, a tactic first developed in 2021 by the Ryuk group to destabilize defenses by causing victims to contact attackers directly, which in turn would disrupt defenses. 

Cisco Talos research highlights the importance of live negotiation in security, noting that attackers have been using real-time phone interaction to weaponize emotional pressure and adaptive social engineering to increase the effectiveness of attacks. Despite the fact that raw economic incentives have failed to deliver historical returns, modern ransomware groups have evolved a new way of leveraging influence, as evidenced by recent research. 

It has become apparent over the past few months that cybercriminal groups are increasingly embracing high-profile consumer brands in their strategic entanglements, as well as a marked shift in how these brands are defending themselves against such attacks. 

During the late spring and early summer of 2018, cybercrime collective Scattered Spider, a decentralized cybercrime collective that is known for targeting retail and supply chain organizations, targeted major retail and supply chain organizations including Victoria's Secret, United Natural Foods, and Belk, among others.

As the incidents unfolded, and the industry as a whole mobilized to defend itself against the attacks, the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) was established, an intelligence-sharing organization that coordinates the collective cybersecurity defense by retail enterprises. 

The RH-ISAC played an important role in the escalating digital threats and the tightening budgets for security in the retail and hospitality industries, industry intelligence releases indicate that there is also a parallel increase in executive alignment and organizational preparedness across the two industry sectors. There has been an increase in the number of chief information security officers reporting directly to senior business leaders as reflected in a recent study conducted by RH-ISAC. 

In a way, this represents a 12-point increase from the previous year, signaling that cybersecurity has become more integrated into corporate strategy rather than being separated from IT. It has been noted by sector leaders that, as a result of this structural shift, security chiefs have become an increasingly important part of commercial decision-making, with their influence extending beyond breach prevention to risk governance, vendor evaluation, and business continuity planning. 

There is no doubt that the same report showed that operational resilience has emerged as a major priority in the boardroom, ranking at the top for approximately half of the organizations surveyed. 

During the conference, the leadership of RH-ISAC highlighted the industry's need to focus on recovery readiness, incident response coordination, and cross-company intelligence exchange, all of which are now considered essential to maintaining customer trust and continuous supply chains in an environment where reputational damage can often outweigh technical damage. 

Although some retail and hospitality enterprises are still faced with the challenge of tight security functions and the apparent friction between deploying them rapidly as well as ensuring that the security remains airtight, many enterprises have been able to demonstrate an improved capacity for absorbing and responding to sustained adversarial pressure. 

Analysts observe that recent high-profile compromises have not derail the industry but have instead tested its defenses and, in several cases, validated them. In this regard, the growing emphasis on cyber resilience is emerging from an aspiration to a reality as a result of orchestrating coordinated response strategies, sharing threat intelligence, mitigation frameworks, and incident guidelines to help organizations prevent becoming successive targets for cyber crimes. 

During the course of the center's response, European retail partners were able to share their insights quickly with the center, since they were facing Scattered Spider operations only weeks earlier. As early as April, the same group had breached a number of U.K. retail organizations including Harrods, Marks & Spencer, and the Co-op, which resulted in emergency advisories from British law enforcement and national cyber agencies advising the public. 

A cross-border intelligence dialogue was held by RH-ISAC in light of those developments to gain an in-depth understanding of the group's evolving tactics. Shortly after the U.K. attacks, the organization held a members-only threat briefing with researchers from Mandiant, Google's cyber intelligence division, to review operational patterns, attacker behavior, and defensive weaknesses. 

RH-ISAC's intelligence coordination with British retailers has enabled them to refine the attribution signals and enhance their early-warning models before the group escalated operations in North America and it was no surprise that they achieved this. 

During this series of breaches, it was revealed that the collective was heavily dependent on young, loosely affiliated operators, but that the retail industry was also making a marked departure from historically isolated incident management models, and instead was increasingly committed to collaborative defenses, intelligence reciprocity, and coordinated response planning. 

There has been a significant evolution in ransomware in recent years, marking the beginnings of a new era of cyber defenses for consumer-facing industries in which economics, psychology, and collaboration are coming together as critical forces. 

In the age of fragmented threat groups, a growing number of recruits, and more manipulative attack models, resilience cannot be solely based on perimeter security. There are experts in the field who emphasize the importance of pairing rapid threat detection with institutional memory, so that organizations can preserve information from every incident, regardless of how quickly attacker infrastructure or affiliations erode. 

A growing number of organizations are implementing protocols for verifying helpdesks, monitoring insider threats, performing supply chain risk audits, and sharing cross-border intelligence. This is an era in which human weaknesses are exploited as aggressively as software flaws, and these protocols are emerging as non-negotiable defenses. 

Meanwhile, the shift towards executive security ownership in retail and hospitality is a blueprint for other sectors as well, since cybersecurity influence needs to be integrated with business strategy rather than being buried beneath it. 

There are a number of recommendations for organizations to implement continuous employee awareness conditioning, stricter playbooks for recovering access, simulated social engineering drills, and incident response alliances that are as fast as an attacker can move. 

Essentially, resilience is not being able to compromise. It does not imply that you do not compromise, but that you are able to recover more rapidly, coordinate more effectively, and think quicker than the opposition.
Read more »
Subscribe to: Posts (Atom)