Write 2 sentences summarizing the content. At the end, add hashtags for specific keywords mentioned in the article—such as names of malware, threat actors, or affected organizations/systems. Avoid general terms like #malware, #ransomware, or #cybersecurity. Use this format: #Keyword1 #Keyword2
Keypoints
- Attackers used social engineering over Microsoft Teams to trick employees at financial and healthcare organizations into initiating Quick Assist remote sessions and installing signed MSI files that deploy A0Backdoor.
- The campaign begins by flooding targets with spam and impersonating company IT staff to gain trust before offering remote assistance.
- Malicious MSI installers hosted in personal Microsoft cloud storage masquerade as Teams components and CrossDeviceService and rely on DLL sideloading to load a malicious hostfxr.dll.
- The loaded library decrypts embedded shellcode, performs sandbox detection, derives a SHA-256 key to AES-decrypt the A0Backdoor, and fingerprints hosts using Windows APIs.
- Command-and-control is conducted over DNS MX queries with encoded high-entropy subdomains and MX record responses to blend in and evade common DNS monitoring.