Microsoft Teams Phishing Attack Spreads A0Backdoor Malware
▼ Summary
– Hackers use social engineering on Microsoft Teams, posing as IT staff to trick employees at financial and healthcare firms into granting remote access via Quick Assist.
– The attackers deploy a malicious toolset, including digitally signed MSI installers masquerading as legitimate software, to install the A0Backdoor malware.
– The malware uses DLL sideloading with legitimate Microsoft binaries and employs techniques like excessive thread creation to hinder analysis and detection.
– A0Backdoor communicates with its command-and-control server using encoded DNS MX record queries, a method chosen to blend in and evade common monitoring for DNS tunneling.
– Cybersecurity researchers assess with moderate-to-high confidence that this campaign is an evolution of tactics associated with the now-dissolved BlackBasta ransomware gang.
A sophisticated phishing campaign is targeting employees within the financial and healthcare sectors, using Microsoft Teams as a primary attack vector to deploy a novel backdoor malware. Security analysts have identified a threat actor who first inundates a target’s email with spam before reaching out via Teams, posing as internal IT support. This deceptive approach builds a false sense of urgency and legitimacy, convincing the employee to accept help. The attacker then guides the user to initiate a Quick Assist remote session, providing the direct access needed to install malicious software onto the compromised machine.
The infection chain involves digitally signed MSI installer files, which are hosted on a personal Microsoft cloud storage account to appear trustworthy. These files cleverly disguise themselves as legitimate Microsoft Teams components or the CrossDeviceService, a tool associated with the Windows Phone Link app. Once executed, the installer uses a technique called DLL sideloading, where a malicious library named `hostfxr.dll` is loaded by a genuine Microsoft binary. This library contains compressed or encrypted data that, once in memory, is decrypted into executable shellcode.
To hinder security analysis, the malicious code employs the CreateThread function excessively, a tactic that can cause debugging tools to crash but typically doesn’t affect normal system operation. The shellcode itself performs checks to detect if it’s running in a sandbox environment before proceeding. It then generates a cryptographic key to decrypt its primary payload: a piece of malware researchers have dubbed A0Backdoor.
This backdoor relocates itself in memory and decrypts its core functions. It uses standard Windows API calls to gather detailed system information, including the username and computer name, effectively fingerprinting the infected host. For covert communication, the malware employs a stealthy method of hiding data within DNS traffic. Instead of using more obvious channels, it sends DNS MX record queries to public recursive resolvers. These queries contain encoded metadata within high-entropy subdomains. The command-and-control servers respond with MX records that carry encoded instructions back to the malware, which then decodes and executes them.
This use of DNS MX records for command-and-control is a notable evolution, as it helps the malicious traffic blend in with normal network activity and may evade security controls specifically tuned to detect the more commonly monitored DNS TXT record tunneling. The campaign has successfully compromised organizations, including a Canadian financial institution and a major global healthcare provider.
Analysts assess with moderate-to-high confidence that this operation represents an evolution of tactics linked to the BlackBasta ransomware gang, whose internal communications were previously leaked. While there are significant overlaps with known BlackBasta methods, this campaign introduces new elements: the use of signed MSI installers, the specific A0Backdoor payload, and the sophisticated DNS MX-based communication for stealth. This highlights a continuous adaptation by threat actors, leveraging trusted collaboration platforms and cloud services to bypass traditional security defenses.
(Source: Bleeping Computer)
