THREAT OPS › Threat News › Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite
Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite
<div class="block-paragraph_advanced"><p>Written by: JP Glab, Tufail Ahmed, Josh Kelley, Muhammad Umair</p> <hr /></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">Google Threat Intelligence Group (GTIG) identified a multistage intrusion cam
Attributed threat actors
- Earth LuscaG1006
MITRE ATT&CK techniques
- Scheduled TaskT1053.005
- Archive via UtilityT1560.001
- Screen CaptureT1113
- System Owner/User DiscoveryT1033
- Password GuessingT1110.001
- JavaScriptT1059.007
- Create or Modify System ProcessT1543
- Security Account ManagerT1003.002
- Match Legitimate Resource Name or LocationT1036.005
- Service StopT1489
- Malicious FileT1204.002
- Local AccountT1087.001
- Browser ExtensionsT1176.001
- Windows ServiceT1543.003
- VulnerabilitiesT1588.006
- Spearphishing LinkT1566.002
- Spearphishing LinkT1598.003
- System Service DiscoveryT1007
- System Information DiscoveryT1082
- Scheduled Task/JobT1053
- AutoHotKey & AutoITT1059.010
- Indirect Command ExecutionT1202
- Data from Local SystemT1005
- Deobfuscate/Decode Files or InformationT1140
- Exfiltration Over Web ServiceT1567
- Social EngineeringT1684
- MasqueradingT1036
- Process InjectionT1055
- Shortcut ModificationT1547.009
- SMB/Windows Admin SharesT1021.002
- Protocol TunnelingT1572
- Upload ToolT1608.002
- Archive Collected DataT1560
- Modify RegistryT1112
- Local AccountT1136.001
- LSASS MemoryT1003.001
- Password SprayingT1110.003
- System Network Configuration DiscoveryT1016
- ProxyT1090
- Command and Scripting InterpreterT1059
- Automated ExfiltrationT1020
- File and Directory DiscoveryT1083
- Data StagedT1074
- Web ServiceT1102
- Credentials In FilesT1552.001
- Link TargetT1608.005
- Token Impersonation/TheftT1134.001
- Cloud ServicesT1021.007
- Process DiscoveryT1057
- PowerShellT1059.001
- Registry Run Keys / Startup FolderT1547.001
- Inter-Process CommunicationT1559
- Exploitation for Privilege EscalationT1068
- Obfuscated Files or InformationT1027
- CredentialsT1589.001
- Exfiltration to Cloud StorageT1567.002
- Query RegistryT1012
- PythonT1059.006
- ImpersonationT1684.001
- Windows Command ShellT1059.003
- Command ObfuscationT1027.010
- File DeletionT1070.004
- Access Token ManipulationT1134
- Web ProtocolsT1071.001
- Remote System DiscoveryT1018
- Network Service DiscoveryT1046
- Software DiscoveryT1518
- Debugger EvasionT1622
- Ingress Tool TransferT1105
- Remote Desktop ProtocolT1021.001
- Hidden Files and DirectoriesT1564.001
- NTDST1003.003
- Malicious LinkT1204.001
- Service ExecutionT1569.002
- CompressionT1027.015
- Malicious LinkAML.T0011.003
- Data from Local SystemAML.T0037
- Command and Scripting InterpreterAML.T0050
- ImpersonationAML.T0073
- MasqueradingAML.T0074
- Process DiscoveryAML.T0089
Indicators of compromise
- 691f7258f212fa8908a8bf06bcf9e027d2177276e13e10ff56bd434ff3755cc4sha256
- e94868d114345e7e6ff7ce3b6ef5c2b0de0ab7ba8584ab0bf1a1df79a2bf2ffesha256
- 2fa987b9ed6ec6d09c7451abd994249dfaba1c5a7da1c22b8407c461e62f7e49sha256
- c8940de8cb917abe158a826a1d08f1083af517351d01642e6c7f324d0bba1eb8sha256
- 7f1d71e1e079f3244a69205588d504ed830d4c473747bb1b5c520634cc5a2477sha256
- ca390b86793922555c84abc3b34406da2899382c617f9dcf83a74ac09dd18190sha256
- 6e6dab993f99505646051d2772701e3c4740096ff9be63c92713bcb7fcddf9f7sha256
- de200b79ad2bd9db37baeba5e4d183498d450494c71c8929433681e848c3807fsha256
- https://www.virustotal.com/gui/collection/e94868d114345e7e6ff7ce3b6ef5c2b0de0ab7ba8584ab0bf1a1df79a2bf2ffeurl
- sad4w7h913-b4a57f9c36eb.herokuapp.comdomain