Cybercriminals are targeting employees in financial and healthcare sectors through Microsoft Teams conversations, using Quick Assist remote access tools to deploy a new malware strain designated A0Backdoor. The attack begins with attackers flooding victims' inboxes with spam, then impersonating IT staff over Teams to offer assistance with the unwanted messages. Victims are directed to initiate Quick Assist sessions, enabling attackers to deploy malicious signed MSI installers hosted in personal Microsoft cloud storage.
The fraudulent installers masquerade as legitimate Microsoft Teams components and the CrossDeviceService associated with the Phone Link application. Using DLL sideloading techniques with authentic Microsoft binaries, attackers deploy a malicious hostfxr.dll library containing compressed encrypted data that decrypts into shellcode upon memory loading. The library employs excessive thread creation via CreateThread to complicate analysis and evade debugging tools.
The extracted shellcode performs sandbox detection before generating a SHA-256-derived key to decrypt the A0Backdoor payload using AES encryption. Once active, the malware collects host information through Windows API calls and communicates with command-and-control infrastructure through DNS MX queries, embedding encoded metadata within high-entropy subdomains. This DNS tunneling approach helps blend traffic with normal network activity and avoids detection mechanisms tuned for TXT-based DNS channels.
BlueVoyant researchers identified a Canadian financial institution and a global healthcare organization among the campaign's targets. The activity shows moderate-to-high confidence alignment with tactics associated with the BlackBasta ransomware group, though notable evolutions include signed MSI usage, malicious DLL deployment, and the novel DNS MX-based communication channel. The BlackBasta operation reportedly dissolved following internal chat log leaks, suggesting this campaign may represent an evolved iteration of their methodology.
Read more...