Overview of the Attack
Threat actor uses Microsoft Teams to launch a new malware campaign. However, this attack relies heavily on social engineering tactics. Researchers discovered a custom malware suite called “Snow.” Therefore, attackers aim to steal sensitive data after gaining access. They focus on deep network compromise and credential theft. As a result, organizations face serious security risks.
The attackers begin by creating urgency. For example, they flood inboxes with spam messages. Then, they contact victims through chat platforms. However, they pretend to be IT support staff. Therefore, victims trust the communication and follow instructions. This method increases the success rate of the attack.
Social Engineering Techniques
The attack uses email bombing as a first step. However, this tactic overwhelms users with messages. Therefore, victims become more likely to accept help. Attackers then reach out through workplace communication tools. For example, they offer to fix the spam issue.
Victims receive a link to install a supposed patch. However, the link delivers malicious software instead. Therefore, users unknowingly infect their systems. This approach exploits trust in internal communication tools. As a result, attackers bypass traditional security awareness.
Malware Components and Behavior
The Snow malware suite includes several components. For instance, it contains a browser extension and a backdoor. It also includes a tunneling tool for communication. Therefore, the malware can operate quietly in the background.
One component installs a hidden browser extension. However, it runs in a headless browser session. Therefore, users cannot see its activity. The system also creates scheduled tasks for persistence. As a result, the malware remains active after reboot.
Command and Control Mechanism
The malware uses advanced communication methods. For example, it creates a secure tunnel to remote servers. However, this tunnel hides malicious traffic. Therefore, detection becomes more difficult.
Commands travel through this hidden channel. Then, the backdoor executes them on the system. However, it uses local servers to manage requests. Therefore, attackers can control infected devices remotely. This setup allows continuous access to the system.
Capabilities of the Backdoor
The backdoor supports many malicious actions. For example, it can steal files and capture screenshots. It also allows remote command execution. Therefore, attackers gain full control over the system.
Additionally, the malware can manage files and download data. However, it can also remove itself if needed. Therefore, attackers can erase traces of their activity. This makes investigation more challenging. As a result, damage may go unnoticed.
Lateral Movement and Data Theft
After gaining access, attackers explore the network. For example, they scan for shared services and remote access points. Therefore, they identify new targets within the system. They also extract login credentials from memory.
Using these credentials, attackers move across systems. However, they use advanced techniques to avoid detection. Therefore, they eventually reach critical servers. At the final stage, they collect sensitive database files. As a result, they gain access to important organizational data.
Prevention and Protection
Organizations should train staff to verify IT support requests carefully. For example, employees should confirm links before clicking them. Additionally, monitoring communication tools helps detect suspicious activity. Therefore, early detection becomes possible. Implementing endpoint protection and network monitoring solutions can block unauthorized access. Advanced threat detection and secure access controls can also prevent lateral movement and data theft.
Sleep well, we got you covered.
