UNC6692

"Google Threat Intelligence Group (GTIG) identified a multistage intrusion campaign by a newly tracked threat group, UNC6692, that leveraged persistent social engineering, a custom modular malware suite, and deft pivoting inside the victim's environment to achieve deep network penetration."

"The UNC6692 campaign demonstrates an interesting evolution in tactics, particularly the use of social engineering, custom malware, and a malicious browser extension, playing on the victim's inherent trust in several different enterprise software providers."

"Evidence of AutoHotKey execution was recorded immediately following the downloads resulting in initial reconnaissance commands and the installation of SNOWBELT, a malicious Chromium browser extension (not distributed through the Chrome Web Store)."

"Using the SNOWBELT extension, UNC6692 downloaded additional files including SNOWGLAZE, SNOWBASIN, AutoHotkey scripts, and a ZIP archive containing a portable Python executable and required libraries."

"process execution telemetry recorded UNC6692 using a Python script to scan the local network for ports 135, 445, and 3389."

"Following internal port scanning, the threat actor established a Sysinternals PsExec session to the victims system via the SNOWGLAZE tunnel, and executed commands to enumerate local administrator accounts."

"After gaining access to the backup server the threat actor utilized the local administrator account to extract the system's LSASS process memory with Windows Task Manager."

"After extracting the process memory, UNC6692 exfiltrated it via LimeWire."

"Now armed with the password hashes of elevated users, UNC6692 used Pass-The-Hash to move laterally to the network's domain controllers."