Microsoft Teams phishing targets employees with A0Backdoor malware
Source: Bleeping Computer
Hackers contacted employees at financial and healthcare organizations over Microsoft Teams to trick them into granting remote access through Quick Assist and deploy a new piece of malware called A0Backdoor.
Attack Overview
The attacker relies on social engineering to gain the employee’s trust by first flooding their inbox with spam and then contacting them over Teams, pretending to be the company’s IT staff and offering assistance with the unwanted messages.
Remote Access via Quick Assist
To obtain access to the target machine, the threat actor instructs the user to start a Quick Assist remote session. During this session, a malicious toolset is deployed, which includes digitally signed MSI installers hosted in a personal Microsoft cloud storage account.
According to researchers at cybersecurity company BlueVoyant, the malicious MSI files masquerade as Microsoft Teams components and the CrossDeviceService, a legitimate Windows tool used by the Phone Link app.
Command line argument to install the malicious CrossDeviceService.exe
Source: BlueVoyant
DLL Sideloading Technique
Using DLL sideloading with legitimate Microsoft binaries, the attacker deploys a malicious library (hostfxr.dll) that contains compressed or encrypted data. Once loaded in memory, the library:
- Decrypts the data into shellcode.
- Transfers execution to the shellcode.
The malicious library also uses the CreateThread function to hinder analysis. Excessive thread creation can cause a debugger to crash, though it has little impact during normal execution.
Shellcode and Payload Extraction
The shellcode performs sandbox detection and then generates a SHA‑256‑derived key, which it uses to extract the A0Backdoor payload encrypted with AES.
Encrypted payload in the shellcode
Source: BlueVoyant
After extraction, the malware:
- Relocates itself into a new memory region.
- Decrypts its core routines.
- Calls Windows APIs (e.g.,
DeviceIoControl,GetUserNameExW,GetComputerNameW) to collect host information and create a fingerprint.
DNS‑Based Command‑and‑Control
Communication with the C2 server is hidden in DNS traffic. The malware sends DNS MX queries with encoded metadata in high‑entropy subdomains to public recursive resolvers. The DNS servers respond with MX records containing encoded command data.
Captured DNS communication
Source: BlueVoyant
“The malware extracts and decodes the leftmost label to recover command/configuration data, then proceeds accordingly,” explains BlueVoyant.
“Using DNS MX records helps the traffic blend in and can evade controls tuned to detect TXT‑based DNS tunneling, which may be more commonly monitored.”
Attribution
BlueVoyant states that two of the campaign’s targets are a financial institution in Canada and a global healthcare organization. The researchers assess with moderate‑to‑high confidence that the campaign is an evolution of tactics, techniques, and procedures associated with the BlackBasta ransomware gang, which dissolved after internal chat logs were leaked.
While many overlaps exist, BlueVoyant notes several new elements:
- Use of signed MSIs and malicious DLLs.
- Introduction of the A0Backdoor payload.
- DNS MX‑based C2 communication.