contact@codexcg.com
All Posts threat-intelligence

A0Backdoor Emerges from BlackBasta's Ashes via Teams Phishing

· Codex Consulting Group · 4 min read
a0backdoorblackbastaphishingmicrosoft-teamsmalware

Overview

A new malware called A0Backdoor is being deployed against financial and healthcare organizations through Microsoft Teams social engineering. Researchers at BlueVoyant linked the campaign, with moderate-to-high confidence, to an evolution of the BlackBasta ransomware gang’s tactics following the group’s apparent dissolution. The malware uses an unusual DNS MX record-based command-and-control channel that most security monitoring is not tuned to catch.

Technical Details

The attack begins with a deliberate flood of spam to the target’s inbox. The threat actor then contacts the victim over Microsoft Teams, posing as internal IT support and offering to help clear the unwanted messages. Once trust is established, the victim is asked to initiate a Quick Assist remote access session.

With remote access secured, the attacker deploys digitally signed MSI installers hosted in a personal Microsoft cloud storage account. These installers masquerade as Microsoft Teams components and the CrossDeviceService, a legitimate Windows tool used by the Phone Link app.

The real payload arrives through DLL sideloading. The attacker abuses legitimate Microsoft binaries to load a malicious library called hostfxr.dll. This library contains compressed or encrypted data that, once loaded into memory, decrypts into shellcode. BlueVoyant notes that the malicious library also spawns excessive threads using the CreateThread function. This technique is designed to crash debuggers during analysis without affecting normal execution.

The shellcode runs sandbox detection checks before generating a SHA-256-derived key. That key is used to decrypt the A0Backdoor payload, which is encrypted with AES. Once active, the backdoor relocates itself into a new memory region, decrypts its core routines, and uses Windows API calls (DeviceIoControl, GetUserNameExW, GetComputerNameW) to fingerprint the host.

The most technically interesting piece is the C2 communication. Instead of typical HTTPS callbacks or DNS TXT record tunneling, A0Backdoor sends DNS MX queries containing encoded metadata in high-entropy subdomains to public recursive resolvers. The DNS servers respond with MX records carrying encoded command data.

As BlueVoyant explains: “Using DNS MX records helps the traffic blend in and can evade controls tuned to detect TXT-based DNS tunneling, which may be more commonly monitored.”

Think about that for a moment. Most DNS monitoring focuses on TXT records because that is where tunneling traditionally happens. MX queries from workstations are unusual enough to be suspicious, yet uncommon enough that few detection rules explicitly target them.

Impact

This campaign poses a direct threat to enterprises that allow external Microsoft Teams communication. Two confirmed targets include a financial institution in Canada and a global healthcare organization.

The use of signed MSI installers and legitimate Microsoft binaries for DLL sideloading makes initial detection difficult. Endpoint tools that rely on binary reputation or code signing verification may not flag the first stages of the attack. The DNS MX-based C2 channel adds another layer of evasion, since organizations that do monitor DNS tunneling tend to focus on TXT records.

The connection to BlackBasta is worth paying attention to. After the group’s internal chat logs leaked earlier this year, the operation appeared to dissolve. BlueVoyant’s assessment suggests that the operators have not retired. They have evolved their tooling instead. The signed MSIs, the A0Backdoor payload, and the DNS MX C2 mechanism are all new additions to the playbook. The social engineering approach (spam bombing followed by a Teams call impersonating IT) is unchanged.

For security teams that previously tracked BlackBasta TTPs, this means updating your detection rules. The pre-compromise behavior looks familiar, but the post-compromise tooling has shifted considerably.

  1. Restrict external Teams access. Review your Microsoft Teams external access policies. If your organization does not need communication with external tenants, disable it. If external access is necessary, use allowlists to limit which domains can contact your users.

  2. Monitor Quick Assist usage. Quick Assist is a legitimate Windows remote access tool, but its use should be logged and alerted on when initiated by non-IT personnel. Consider removing Quick Assist entirely if your organization uses a different remote support solution.

  3. Hunt for DNS MX anomalies. Review DNS logs for MX queries containing high-entropy subdomains or directed at previously unseen domains. Most legitimate MX lookups are predictable and routine. A workstation making MX queries to unfamiliar domains warrants immediate investigation.

  4. Update DLL sideloading detections. Monitor for unsigned DLLs loaded by signed Microsoft binaries, particularly hostfxr.dll being loaded from non-standard paths. The combination of a legitimate signed binary loading an unexpected library is a strong detection signal.

  5. Train staff on the spam-then-call pattern. Make sure employees understand that this specific social engineering sequence (inbox spam followed by a “helpful” Teams call from someone claiming to be IT) is an active threat. Real IT departments will not cold-call employees via Teams after a spam incident without prior coordination.

MITRE ATT&CK Mapping

Technique IDName
T1566.003Phishing: Spearphishing via Service (Microsoft Teams)
T1219Remote Access Software (Quick Assist)
T1218.007System Binary Proxy Execution: Msiexec (signed MSI installers)
T1574.002Hijack Execution Flow: DLL Side-Loading (hostfxr.dll)
T1027Obfuscated Files or Information (AES-encrypted payload)
T1071.004Application Layer Protocol: DNS (MX record C2)
T1082System Information Discovery (host fingerprinting via Windows API)

How Codex Can Help

If your organization is concerned about this campaign or similar social engineering threats, reach out to our team.

  • Compromise Assessment: We can review your environment for indicators associated with A0Backdoor, including DNS MX anomalies and DLL sideloading artifacts.
  • Microsoft 365 Security Review: Our team can evaluate your Teams external access policies, Quick Assist deployment, and broader M365 security posture.
  • Threat Hunting: We can build and deploy custom detection rules for DNS-based C2 channels and DLL sideloading patterns in your SIEM or EDR platform.

Codex Consulting Group is ready to help you close these gaps before attackers find them.

Sources

  1. https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-targets-employees-with-backdoors/
  2. https://www.bluevoyant.com/blog/new-a0backdoor-linked-to-teams-impersonation-and-quick-assist-social-engineering
Back to all posts

Related Posts

threat-intelligence

Lotus Blossom Turned Notepad++ Into a Six-Month Espionage Pipeline

Chinese APT Lotus Blossom hijacked Notepad++ updates for six months to deploy the custom Chrysalis backdoor targeting telecom and government organizations.

supply-chainaptchina
threat-intelligence

AI-Assisted Hacker Breaches 600+ FortiGate Firewalls Across 55 Countries

A Russian-speaking threat actor used commercial AI tools to compromise over 600 FortiGate firewalls in just five weeks, per Amazon Threat Intelligence.

fortinetartificial-intelligencefirewall
threat-intelligence

Warlock Gang Breached SmarterTools Through Its Own Email Server Software

China-linked ransomware group Storm-2603 compromised SmarterTools by exploiting critical SmarterMail vulnerabilities, then turned the same flaws against the vendor's customers.

ransomwarevulnerabilitychina