"The attackers tricked the victim into clicking on a URL leading to a phishing page offering a fake mailbox repair utility, which checked for an email parameter and the browser type."
"Upon execution, the payloads infected the system with a JavaScript-based backdoor dubbed Snowbelt, deployed as a Chromium browser extension, establishing persistence through Windows startup shortcuts."
"UNC6692 used Snowglaze to establish a Sysinternals PsExec session to the system, allowing them to enumerate administrator accounts and initiate a Remote Desktop Protocol session."
The threat actor UNC6692 has been observed using phishing emails and Microsoft Teams to impersonate IT support. Victims are tricked into clicking a malicious URL that leads to a fake mailbox repair utility. This page captures credentials and downloads malware, including a JavaScript-based backdoor named Snowbelt. The attackers establish persistence through scheduled tasks and use the malicious extension to download further payloads. They also conduct reconnaissance and lateral movement to harvest credentials and access administrator accounts via Remote Desktop Protocol.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]