Cybercriminals are targeting financial and healthcare workers via Microsoft Teams by posing as IT support to gain remote access through Quick Assist and install a new malware dubbed A0Backdoor. This social engineering tactic begins with an intentional spam flood to the victim’s inbox, providing a false pretext for the attacker to reach out and offer "help" with the issue.
The attack sequence starts when the threat actor convinces an employee to initiate a Quick Assist session, allowing them to gain control of the workstation. Once access is established, the hacker downloads malicious, digitally signed MSI installers from a personal Microsoft cloud storage account. These files are designed to look like legitimate software, often mimicking Microsoft Teams components or Windows system tools such as the CrossDeviceService to avoid raising suspicion.
To execute the core of the attack, the intruders use a technique known as DLL sideloading. By utilizing legitimate Microsoft binaries, they trigger the loading of a malicious library named hostfxr.dll which contains encrypted data. This library stays in the computer’s memory, where it decrypts itself into shellcode and takes over the execution process. This method allows the malware to run while hiding within the context of trusted system operations.
The researchers at BlueVoyant discovered that the malicious library employs specific tricks to frustrate security analysts. By using the CreateThread function to spawn an excessive number of threads, the malware attempts to crash debuggers and other analysis tools. While this overwhelming activity can stop a security professional from inspecting the code, it has little to no noticeable impact on the computer’s performance during a standard infection.
In the final stage of the compromise, the shellcode runs a check to ensure it is not being monitored in a sandbox environment. If the coast is clear, it generates a unique SHA-256-derived key to decrypt the A0Backdoor payload, which is protected by AES encryption. Once active, this backdoor gives the attackers persistent access to the organization’s network, allowing for data theft or further exploitation.
Source: Microsoft Teams Phishing Campaign Targets Employees With A0Backdoor Malware