UNC6692 Impersonates IT Helpdesk via Microsoft Teams to Deploy SNOW Malware

What’s new: A new threat actor group, UNC6692, has been identified using social engineering tactics via Microsoft Teams to deploy a custom malware suite, including the SNOW malware family. They impersonate IT helpdesk employees to convince targets to install malicious software under the guise of resolving email spam issues. The campaign has been particularly focused on senior-level employees, utilizing a combination of phishing links and legitimate remote management tools to gain access to corporate networks.

Who’s affected

Organizations using Microsoft Teams, particularly those with senior-level employees, are at risk. The attack targets individuals who may be overwhelmed by spam emails, making them more susceptible to social engineering tactics.

What to do

• Implement strict verification processes for helpdesk communications, especially through collaboration tools like Microsoft Teams.
• Tighten controls on external Teams communications and screen sharing to prevent unauthorized access.
• Enhance security measures for PowerShell and other remote management tools to mitigate exploitation risks.

Sources

• The Hacker News