A contemporary cyber campaign has been identified where attackers are using Microsoft Teams to target employees in financial and healthcare organizations, eventually infecting systems with a newly observed malware known as A0Backdoor.
Research from BlueVoyant shows that the attackers rely heavily on social engineering. They begin by overwhelming an employee’s inbox with large volumes of spam emails. Soon after, they contact the same individual on Microsoft Teams, pretending to be part of the company’s IT support team and offering help to resolve the issue. This sequence is designed to build trust and make the request appear routine.
Once the victim is convinced, the attacker asks them to start a remote session using Quick Assist, a built-in Windows feature meant for remote troubleshooting. After access is granted, the attacker delivers a set of malicious tools through MSI installer files. These installers are digitally signed and hosted on a personal Microsoft cloud storage account, which helps them appear legitimate at first glance.
The researchers found that these MSI files are disguised as familiar Microsoft-related components, including Microsoft Teams elements and CrossDeviceService, a real Windows service used by the Phone Link application. This naming strategy helps the files blend in with normal system processes.
To execute the attack, the threat actor uses a technique called DLL sideloading. This involves running trusted Microsoft programs to load a malicious file named hostfxr.dll. Inside this file is data that is either compressed or encrypted. When the file is loaded into memory, it decrypts this data into shellcode and begins execution.
The malware also uses the CreateThread function to generate multiple threads. This behavior is not meant to improve performance but to make analysis harder. According to the researchers, creating too many threads can cause debugging tools to crash, even though it does not noticeably affect normal system activity.
After execution begins, the shellcode checks whether it is running inside a sandbox environment, which is commonly used by security analysts. If no such environment is detected, it proceeds to create a cryptographic key derived from SHA-256. This key is then used to decrypt the A0Backdoor payload, which is protected using AES encryption.
Once decrypted, the malware moves itself to a different region in memory and activates its main functions. It collects system-level information using Windows API calls such as DeviceIoControl, GetUserNameExW, and GetComputerNameW. This allows it to identify and profile the infected machine.
For communication with its operators, the malware avoids traditional methods and instead uses DNS traffic. It sends DNS MX queries that contain encoded data within complex subdomains to public recursive DNS servers. The responses it receives include MX records that carry encoded instructions. The malware extracts the relevant part of the response, decodes it, and then follows the commands.
Researchers explain that using MX records helps the traffic appear normal, making it harder to detect compared to other DNS-based techniques, especially those that rely on TXT records, which are more commonly monitored.
The campaign has already targeted at least two organizations, including a financial institution in Canada and a global healthcare company.
BlueVoyant assesses with moderate to high confidence that this activity builds on methods previously linked to the BlackBasta group. Although that group reportedly shut down after internal chat logs were leaked, parts of its approach appear to be continuing in this operation.
At the same time, the researchers
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: