A new threat actor is combining social engineering techniques, abuse of legitimate cloud infrastructure, and custom malware together to create what appears to be novel attack chain.
Google Threat Intelligence Group (GTIG) and Mandiant on April 23 published a blog post detailing the activities of a threat actor tracked as UNC6692. While the researchers did not attribute the threat actor to any previously established identity or location ( calling it only a “newly tracked threat group”), they described a multistage intrusion campaign leveraging both persistent social engineering and custom modular malware.
The attack also involves the abuse of legitimate cloud infrastructure in the form of an AWS S3 bucket.
A Google spokesperson tells Dark Reading that based on observed attacker tactics, techniques, and procedures (TTPs), the researchers suspect the UNC6692 is financially motivated. “Their operations appear focused on gaining access and stealing credentials for further actions,” the blog post authors added.
Dark Reading asked about the attacker’s point of origin, but because it utilized AWS infrastructure, Google was unable to obtain evidence pointing to a possible attribution.
The UNC6692 Attack Chain
In late December, UNC6692 conducted a campaign where it flooded a target’s inbox with email messages before contacting them through Microsoft Teams, posing as help desk personnel assigned to fix the problem. The attacker provided a phishing link through the Teams message, prompting the target to click a link that installs a local patch to fix and prevent email spamming.
The target clicked the link and opened an HTML page which “ultimately downloaded a renamed AutoHotKey binary and an AutoHotkey script, sharing the same name, from a threat actor-controlled AWS S3 bucket.”
“If the AutoHotkey binary is named the same as a script file in its current directory, AutoHotkey will automatically run the script with no additional command line arguments,” the blog post read. “Evidence of AutoHotKey execution was recorded immediately following the downloads resulting in initial reconnaissance commands and the installation of SNOWBELT, a malicious Chromium browser extension (not distributed through the Chrome Web Store).”
Through the Snowbelt extension now installed on the user’s computer, UNC6692 downloaded the Python tunneler Snowglaze, the Python bindshell Snowbasin (a persistent backdoor for remote code execution), AutoHotkey scripts, and “a ZIP archive containing a portable Python executable and required libraries.”
Once they gained initial access, the attacker used a Python script to scan the local network for ports 135, 445, and 3389 and enumerate local administrator accounts. They then used a local administrator account to initiate a remote desktop protocol (RDP) session through Snowglaze from the victim system to a backup server.
Now with access to the backup server, the threat actor further uses the local admin account to extract the system’s LSASS Microsoft Windows Local Security Authority Subsystem Service (LSASS) process memory. LSASS is used to enforce security policy and contains all usernames, passwords, and hashes for accounts that have accessed the target system. UNC6692 then extracted the process memory via LimeWire before using offensive security tools to extract credentials without fear of detection.
Finally, UNC6692 used a pass-the-hash technique to move laterally to the network’s domain controller, preparing the threat actor to further stage and extract data of interest.
Google’s blog post contained indicators of compromise (IOCs) and YARA rules.
UNC6692: Defender Takeaways
UNC6692’s attack presents a blend of social engineering, technical evasion, and a multipronged malware strategy. Google highlighted the “systematic abuse of legitimate cloud services for payload delivery and exfiltration, and for command-and-control (C2) infrastructure,” in the form of the S3 bucket.
This abuse, Google said, enables attackers to bypass traditional network reputation filters and blend into legitimate cloud traffic.
“Defenders must now look beyond process monitoring to gain clear visibility into browser activity and unauthorized cloud traffic,” the authors wrote. “As threat actors continue to professionalize these modular, cross-platform methodologies, the ability to correlate disparate events across the browser, local Python environments, and cloud egress points will be critical for early detection.”
In a statement, an AWS spokesperson tells Dark Reading stating that the company prohibits the abuse of its product in its terms of service, and if anyone suspects such abuse may be taking place, they can report it to AWS Trust & Safety through the appropriate form.
“AWS has clear terms that prohibit the use of our services to violate the security, integrity, or availability of others,” the spokesperson says. “When we receive reports of potential violations of our terms, we act quickly to review and take appropriate action.”
