"The malware's loader exhibits anti-sandbox evasion, and the campaign's command-and-control appears to have pivoted to a covert DNS mail exchange-based channel that confines endpoint traffic to trusted recursive resolvers. This group is linked to ransomware operations such as Black Basta and Cactus and is known for using social engineering to gain initial access before deploying malware or launching follow-on ransomware attacks."
"In this campaign, attackers first gain access through social engineering, impersonating internal IT personnel. After convincing victims to grant access - often through remote support tools such as Quick Assist - the attackers deploy malicious MSI installer packages designed to appear as legitimate Teams-related software updates. These installers frequently use names such as Update.msi or UpdateFX.msi and are crafted to blend into normal enterprise workflows."
"The packages typically include a mix of legitimate Microsoft-signed binaries alongside attacker-controlled DLL files. This combination enables a technique known as DLL sideloading, in which a trusted application loads malicious code, allowing attackers to execute their payload while maintaining a veneer of legitimacy within enterprise environments."
A sophisticated malware campaign leverages Microsoft Teams impersonation and social engineering to distribute A0Backdoor, a stealthy payload designed for persistent network access. Attackers impersonate internal IT personnel to convince victims to grant remote access via tools like Quick Assist. They then deploy malicious MSI installer packages disguised as legitimate Teams software updates, using names such as Update.msi or UpdateFX.msi. These installers drop files into Microsoft service directories and employ DLL sideloading by combining legitimate Microsoft-signed binaries with attacker-controlled DLL files. The malware features anti-sandbox evasion capabilities and uses covert DNS mail exchange-based command-and-control communications. The campaign primarily targets finance and healthcare sectors and aligns with tactics from Blitz Brigantine (Storm-1811), a threat actor cluster linked to Black Basta and Cactus ransomware operations.
#a0backdoor-malware #microsoft-teams-impersonation #social-engineering-attacks #dll-sideloading #blitz-brigantine-threat-actor
Read at TechRepublic
Unable to calculate read time
Collection
[
|
...
]