tldrdailynews.com logo
Tag

Unc6692

All articles tagged with #unc6692

UNC6692 leverages Teams impersonations to deploy Snow malware for credential theft and domain takeover
technology1 month ago

UNC6692 leverages Teams impersonations to deploy Snow malware for credential theft and domain takeover

Researchers say the threat group UNC6692 uses email bombing to pressure targets and then contacts them via Microsoft Teams, posing as IT helpdesk to induce installation of a patched patch that drops Snow, a custom malware suite (SnowBelt browser extension, SnowGlaze tunneler, SnowBasin backdoor). SnowBelt provides persistence and relays commands to SnowBasin through a headless Edge session, with SnowGlaze establishing a WebSocket tunnel and SOCKS proxy for C2 communication. SnowBasin can execute attacker commands, perform remote shell access, and exfiltrate data, while LSASS memory dumps and pass-the-hash techniques enable internal reconnaissance and lateral movement to domain controllers; the attackers even exfiltrate Active Directory data using FTK Imager via LimeWire. The report includes IoCs and YARA rules to detect Snow.

via BleepingComputer|
#credential-dumping#lateral-movement#snow-malware
Threat Actors Weaponize Teams Messaging to Breach Enterprises
cyber-security-news1 month ago

Threat Actors Weaponize Teams Messaging to Breach Enterprises

UNC6692 runs a multistage intrusion that begins with mass email bombardment and escalates via impersonation of IT staff in Microsoft Teams, guiding victims to a phishing landing page hosted on AWS S3. The campaign then harvests credentials, deploys a modular malware suite (SNOWBELT), and uses cloud-based C2 and data staging to exfiltrate data and compromise domain controllers, highlighting the need to restrict external Teams access and monitor cloud egress and browser extensions for anomalous activity.

via CyberSecurityNews|
#cyber-security-news#cybersecurity#microsoft-teams
Teams Tactics Drive UNC6692’s Modular SNOW Malware Campaign
technology1 month ago

Teams Tactics Drive UNC6692’s Modular SNOW Malware Campaign

Security researchers describe UNC6692’s two-stage assault: a flood of spam to overwhelm inboxes followed by impersonating IT staff via Microsoft Teams to coax victims into installing a patch that drops the SNOWBELT/SNOWGLAZE/SNOWBASIN malware suite for remote access, lateral movement, and data exfiltration, leveraging cloud services for C2 and payload delivery. The campaign targets executives and uses WebSocket tunnels and backdoors to expand access, with defenders urged to harden collaboration tools and enforce verified help-desk procedures.

via The Hacker News|
#microsoft-teams#snowbelt#snowglaze