Microsoft Teams Phishing Campaign Targets Employees with Backdoors

Financial and healthcare organizations are facing a new threat as hackers utilize Microsoft Teams to deceive employees into granting remote access through Quick Assist and deploy a malware called A0Backdoor.

The attackers employ social engineering tactics to gain the trust of employees. They flood inboxes with spam and then reach out over Teams, posing as IT staff to offer assistance with unwanted messages.

To gain access to the victim’s machine, the threat actor instructs the user to initiate a Quick Assist remote session. This session is used to deploy a malicious toolset that includes digitally signed MSI installers hosted in a personal Microsoft cloud storage account.

Researchers at cybersecurity company BlueVoyant have identified that the malicious MSI files masquerade as Microsoft Teams components and the CrossDeviceService, a legitimate Windows tool utilized by the Phone Link app.

Malicious Library Deployment

Using the DLL sideloading technique with legitimate Microsoft binaries, the attacker deploys a malicious library (hostfxr.dll) containing encrypted data. Once loaded in memory, the library decrypts the data into shellcode and transfers execution to it.

The malicious library also employs the CreateThread function to prevent analysis. This excessive thread creation could potentially crash a debugger, although it has minimal impact under normal execution.

The shellcode conducts sandbox detection and generates a SHA-256-derived key to extract the A0Backdoor, encrypted using the AES algorithm.

Communication and Fingerprinting

The malware relocates itself into a new memory region, decrypts its core routines, and uses Windows API calls to collect information about the host and fingerprint it. Communication with the command-and-control (C2) is concealed within DNS traffic.

The malware sends DNS MX queries with encoded metadata to public recursive resolvers, receiving encoded command data in response. This technique helps the malware blend in and evade detection.

Evolution of Tactics

BlueVoyant reveals that the campaign targets a financial institution in Canada and a global healthcare organization. They believe with moderate-to-high confidence that the campaign is linked to the BlackBasta ransomware gang, incorporating new elements such as signed MSIs, malicious DLLs, A0Backdoor payload, and DNS MX-based C2 communication.

The use of these tactics signifies an evolution in cyber threats, demonstrating the need for organizations to stay vigilant and update their security measures accordingly.