In a concerning development, hackers have escalated their efforts to exploit Microsoft Teams in a bid to gain unauthorized remote access to corporate systems. BlueVoyant has raised the alarm about a new malware strain, A0Backdoor, which is being deployed through these attacks, targeting employees to relinquish control.
Evolution of the Social-Engineering Tactics
The attackers’ strategies bear resemblance to those associated with Blitz Brigantine, also known as Storm-1811, a group linked to the Black Basta ransomware. The initial phase of the attack involves overwhelming the target with a barrage of irrelevant emails, followed by contact from a hacker masquerading as internal IT support via Microsoft Teams.
Once trust is established, the attacker convinces the employee to use Windows Quick Assist, a legitimate tool that allows remote access, under the guise of resolving the email deluge. This method has been previously highlighted by Microsoft when warning against Storm-1811’s tactics.
Deployment of Malicious Software
Upon securing access, the hackers swiftly deploy digitally signed MSI installers under the pretense of being Microsoft Teams components. These installers are often hosted on Microsoft’s personal cloud storage, lending them a veneer of legitimacy and complicating forensic investigations.
BlueVoyant’s investigation reveals that these installers mimic Microsoft’s software directories and utilize DLL sideloading to execute harmful code. For example, one variant replaced a legitimate .NET component, allowing the attackers to run their loader undetected.
Advanced Malware Techniques
The A0Backdoor malware is engineered to evade detection. It uses runtime decryption and anti-analysis measures, such as checks for sandbox environments, making it challenging for security professionals to analyze. If the environment is deemed suspicious, the malware adjusts its behavior, complicating further analysis.
This backdoor communicates through covert DNS tunneling, avoiding direct connections to attacker servers. By using public DNS resolvers, the malware’s traffic blends in with normal network activity, making it difficult to detect.
Implications for Cybersecurity
This ongoing campaign underscores the importance of viewing Microsoft Teams as a potential entry point for cyber attacks. Organizations are advised to limit the use of Quick Assist and remain vigilant for unsolicited external interactions via Teams. Furthermore, monitoring for unusual signed MSI installers is crucial in preventing such breaches.
BlueVoyant’s findings indicate that while the attackers have refined their methods, their core strategy remains effective. By enhancing their tools and adopting more covert techniques, they continue to pose a significant threat. Staying informed and implementing robust security measures are essential steps for organizations to safeguard against these evolving cyber threats.
