Cybercriminals Exploit Microsoft Teams to Deploy A0Backdoor Malware
In a concerning development, cybercriminals are leveraging Microsoft Teams and Windows Quick Assist to infiltrate corporate networks, deploying a newly identified malware known as A0Backdoor. This sophisticated social engineering campaign has been linked to the financially motivated group Storm-1811, also referred to as Blitz Brigantine, which has associations with the Black Basta ransomware operations.
The Attack Methodology
The attack typically commences with an email bombing strategy, where the target’s inbox is inundated with a barrage of junk messages. Following this, the victim receives a communication via Microsoft Teams from an individual masquerading as an internal IT support representative. The impostor offers assistance to resolve the email issue and persuades the employee to initiate Quick Assist, a legitimate Microsoft remote-support tool that facilitates screen sharing and device control.
This tactic mirrors previous methods employed by Storm-1811, where attackers utilized Teams messages and calls from counterfeit help desk accounts to request Quick Assist access.
Deployment of Digitally Signed MSI Installers
Upon gaining remote access, the attackers swiftly deploy digitally signed MSI installers, camouflaged as Microsoft Teams-related components and CrossDeviceService packages. Notably, some of these MSI files are hosted on Microsoft’s personal cloud storage through tokenized links, enhancing their perceived legitimacy and complicating forensic analysis.
These installers deposit files into user AppData directories that mimic legitimate Microsoft software locations, employing DLL sideloading techniques to execute malicious code. For instance, a file named Update.msi includes a counterfeit hostfxr.dll, substituting the genuine Microsoft-signed .NET component. This substitution enables the attackers to run their loader while blending seamlessly with standard Windows and Microsoft software operations.
Characteristics of the Loader and A0Backdoor
The loader is designed to evade detection, utilizing runtime decryption, extensive thread creation, and anti-analysis mechanisms, including checks for sandbox artifacts like QEMU. If the environment appears suspicious, the malware can alter its keying logic, rendering the sample ineffective outside the intended conditions.
The final payload, identified as A0Backdoor, is a memory-resident backdoor that profiles the compromised host and communicates through covert DNS tunneling. Instead of directly connecting to attacker infrastructure, the malware sends MX record lookups to public recursive resolvers, embedding encoded data within DNS labels and responses. This method helps the traffic blend in and may evade detections focused on TXT-based DNS tunneling or direct outbound command-and-control sessions.
Implications and Recommendations
This campaign underscores the persistent threat posed by cybercriminals who continuously refine their tactics to exploit trusted platforms and human psychology. Organizations are advised to treat Microsoft Teams as a potential initial-access channel and not merely a collaboration tool. It is recommended to restrict or remove Quick Assist where it is not required, monitor for unusual activities, and educate employees about the risks of social engineering attacks.
By implementing these measures, organizations can enhance their defenses against such sophisticated cyber threats and protect their networks from unauthorized access and potential data breaches.
