Summary:

A phishing campaign is targeting employees at financial and healthcare organizations via Microsoft Teams, where attackers impersonate internal IT support staff and persuade victims to grant remote access via the Windows Quick Assist tool. Once access is established, attackers deploy malicious MSI installers disguised as legitimate software components such as CrossDeviceService. These installers use DLL sideloading and encrypted shellcode to deliver the A0Backdoor malware.

The malware operates primarily in memory, collects host system information, and communicates with attacker-controlled infrastructure using covert DNS MX queries designed to blend with normal DNS activity. Researchers have observed similarities between this campaign and tactics historically associated with the BlackBasta ransomware group, indicating potential evolution of their operational tradecraft.

Technical Description:

The attack begins when threat actors impersonate corporate IT support staff through Microsoft Teams after first creating confusion by sending large volumes of spam emails to targeted users. Victims are convinced to initiate a remote assistance session using the legitimate Windows Quick Assist application. Once the session is established, attackers deliver malicious MSI installers hosted on personal Microsoft cloud storage accounts. These installers masquerade as legitimate software components such as CrossDeviceService to avoid suspicion.

The installer deploys a malicious hostfxr.dll using DLL sideloading techniques. This DLL contains encrypted or compressed data that is decrypted directly in memory and transformed into executable shellcode. The shellcode performs environmental checks to detect sandbox environments and generates a SHA-256 derived key used to decrypt the AES-encrypted A0Backdoor payload.

Once decrypted, the payload executes entirely in memory and employs anti-analysis techniques including excessive thread creation to hinder debugging or forensic inspection. The malware then collects system information and establishes command-and-control communication using encoded metadata embedded within DNS MX queries sent to public recursive resolvers. The details and technicalities of the attack campaign are discussed further,

Delivery and Infection Chain:

The campaign relies heavily on social engineering techniques combined with legitimate enterprise collaboration tools to bypass traditional security defenses. Attackers impersonate internal IT staff using Microsoft Teams, creating urgency and trust to convince victims to initiate remote support sessions. During these sessions, attackers deploy malicious software disguised as legitimate system components to gain persistent access to the compromised environment.

The Infection chain was identified as follows,

• Threat actors initiate contact through Microsoft Teams while impersonating corporate IT support and persuade victims to launch a remote support session using Quick Assist.
  
• After remote access is granted, attackers deploy malicious MSI installers hosted on personal Microsoft cloud storage accounts, disguised as legitimate Windows components such as CrossDeviceService.
• The MSI installer places legitimate Microsoft binaries alongside a malicious hostfxr.dll file, leveraging DLL sideloading to execute the malicious library when the legitimate binary is launched.
• The malicious DLL decrypts embedded data into shellcode in memory, performs sandbox detection checks, and generates a SHA-256 derived key used to decrypt the AES-encrypted A0Backdoor payload.
• The decrypted backdoor executes in memory, gathers host system information, and establishes command-and-control communication by embedding encoded data within DNS MX queries.

Technical Capabilities:

The A0Backdoor malware incorporates several evasion and persistence techniques designed to operate stealthily within compromised environments. The malware runs primarily in memory after decrypting its AES-encrypted payload using a SHA-256 derived key generated by the initial shellcode. Prior to execution, the malware performs sandbox checks to determine whether it is operating in an analysis or virtualized environment.

To further complicate analysis, the malware uses anti-debugging techniques such as excessive thread creation through the Windows CreateThread function, which can disrupt malware analysis tools. After execution, the malware gathers host information using Windows API functions including DeviceIoControl, GetUserNameExW, and GetComputerNameW to fingerprint the infected system.

The command-and-control mechanism uses a covert communication method in which encoded metadata is embedded within DNS MX queries sent to public recursive resolvers. This allows malicious traffic to blend with legitimate DNS activity and bypass traditional monitoring systems that typically detect DNS TXT-based tunneling. The DNS responses contain encoded commands that the malware decodes and executes, enabling remote command execution and configuration updates. The use of legitimate services such as Microsoft Teams and Quick Assist during the initial compromise further increases the stealth and effectiveness of the attack.

Attribution and Evolution:

Security researchers have identified behavioral similarities between this campaign and tactics previously used by the BlackBasta ransomware group. BlackBasta has historically conducted large-scale ransomware operations targeting enterprise environments before internal communications leaks disrupted portions of the group's infrastructure.

The current campaign suggests an evolution in the group’s operational tactics. New elements observed include the use of the A0Backdoor payload, digitally signed MSI installers for malware delivery, and DNS MX-based command-and-control communication mechanisms. These additions indicate an effort to increase stealth, persistence, and evasion capabilities compared to earlier operations.

Active Campaign and Geographic Spread:

The campaign has primarily targeted organizations within the financial services and healthcare sectors, both of which are considered high-value targets due to the sensitive data they manage. Confirmed victims include a Canadian financial institution and a multinational healthcare organization.

Although the publicly reported number of victims remains limited, the techniques employed in this campaign indicate potential for broader international targeting. Enterprises that rely heavily on collaboration platforms such as Microsoft Teams and remote IT support tools may be particularly vulnerable to similar social engineering-based intrusion attempts.

Conclusion:

This campaign illustrates how threat actors increasingly combine social engineering techniques with legitimate enterprise tools and advanced malware to compromise organizations. By exploiting trusted collaboration platforms like Microsoft Teams and masking command-and-control traffic within DNS communications, attackers can maintain persistent and covert access to enterprise environments.

Organizations should strengthen user awareness programs, implement stricter controls around remote support tools, and enhance monitoring of DNS traffic and endpoint activity in order to detect and mitigate similar attack attempts.

Impact:

Successful exploitation allows attackers to gain initial access and establish persistent backdoor control within enterprise networks. The A0Backdoor malware enables threat actors to collect system information, execute remote commands, and potentially deploy additional malicious payloads including credential harvesting tools, lateral movement frameworks, or ransomware.

The use of legitimate collaboration and remote assistance tools such as Microsoft Teams and Quick Assist significantly complicates detection efforts, increasing the risk of prolonged unauthorized access within affected enterprise environments.

IOC and Context Details:

Recommended Actions:

• Implement strict verification procedures for internal IT support requests and ensure employees independently confirm unsolicited assistance requests received through collaboration platforms such as Microsoft Teams.
• Restrict or closely monitor the use of remote support tools such as Quick Assist and allow remote sessions only through authorized IT channels.
  
• Deploy advanced email filtering and anti-spam solutions capable of detecting and blocking large volumes of spam used to facilitate social engineering campaigns.
  
• Monitor and analyze DNS traffic for anomalies, particularly high-entropy subdomains and unusual DNS MX queries that may indicate covert command-and-control activity.
• Implement endpoint detection and response solutions capable of identifying suspicious behaviors such as DLL sideloading and execution of malicious libraries including hostfxr.dll.
  
• Restrict execution of unsigned or untrusted MSI installers and enforce application control policies to prevent unauthorized software installation.
  
• Conduct regular employee security awareness training to help staff identify impersonation attempts and social engineering tactics targeting enterprise collaboration tools.
  
• Continuously monitor endpoint and network logs for abnormal activity including unauthorized remote sessions, unusual process execution patterns, and unexpected connections to external infrastructure.

Reference:

https://radar.offseq.com/threat/new-a0backdoor-linked-to-teams-impersonation-and-q-a3cec5d5