Analysis Summary

A malvertising campaign is exploiting trojanized installers for popular software like Google Chrome and Microsoft Teams to deploy a backdoor named Oyster, also known as Broomstick or CleanUpLoader.

According to researchers, users are being redirected to lookalike websites through search engines such as Google and Bing, where they are tricked into downloading malicious setup binaries. These binaries initiate a malware infection chain ultimately installing the Oyster backdoor. Oyster gathers information about the compromised host communicates with a hard-coded command-and-control (C2) server and supports remote code execution.

Previously, Oyster was delivered using a loader component called Broomstick Loader or Oyster Installer. However, recent attack chains show the direct deployment of the backdoor. This malware, linked to the Russia-based group ITG23 known for the TrickBot malware, installs legitimate Microsoft Teams software post-infection to avoid detection. Researchers noted that the malware also spawns a PowerShell script to establish persistence on the compromised system.

In a related development, the cybercrime group Rogue Raticate (RATicate) has been linked to an email phishing campaign using PDF decoys to lure users into clicking malicious URLs. These URLs lead victims through a Traffic Distribution System (TDS) and ultimately deploy the NetSupport Remote Access Tool (RAT). Experts have identified this phishing campaign as part of a broader trend in which threat actors use sophisticated methods to deliver remote access tools and maintain control over compromised systems.

Additionally, a new phishing-as-a-service (PhaaS) platform called ONNX Store has emerged, enabling customers to conduct phishing campaigns with embedded QR codes in PDF attachments. This service a rebranded version of the Caffeine phishing kit, is maintained by an Arabic-speaking threat actor.

ONNX Store uses Cloudflare's anti-bot mechanisms and encrypted JavaScript to evade detection and includes a two-factor authentication (2FA) bypass mechanism. The phishing pages mimic Microsoft 365 login interfaces deceiving users into providing their authentication details which are then intercepted and used by attackers.

Impact

• Sensitive Information Theft
• Unauthorized Access
• Code Execution

Indicators of Compromise

Domain Name

• retdirectyourman.eu
• supfoundrysettlers.us
• impresoralaser.pro
• whereverhomebe.com
• micrsoft-teams-download.com
• prodfindfeatures.com

IP

• 206.166.251.114
• 64.95.10.243
• 149.248.79.62

MD5

• e0efcd15daaa87d864f56c803156ae43
• 3783c137efc90636f367351069121f41
• b48ab98dd6a5145a64a8eb318a04aa85
• 7121d0e9fdd9fa23acfea6b4939c2a65

SHA-256

• 9601f3921c2cd270b6da0ba265c06bae94fd7d4dc512e8cb82718eaa24accc43
• 574c70e84ecdad901385a1ebf38f2ee74c446034e97c33949b52f3a2fddcd822
• cfc2fe7236da1609b0db1b2981ca318bfd5fbbb65c945b5f26df26d9f948cbb4
• 82b246d8e6ffba1abaffbd386470c45cef8383ad19394c7c0622c9e62128cb94

SHA-1

• 5327dd70591fd8687b5514c44c3604d1728f909e
• c31f6d3532af5b11b45878bb394ab323842da231
• 2ba711b82a855c4e717fe9d629485340d2f3b0fd
• de691aa96f28c9da2179d8d683cb5f6c50528900

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure software is downloaded only from official, verified sources.
• Implement and maintain up-to-date antivirus and anti-malware solutions.
• Regularly update all installed software to patch known vulnerabilities.
• Educate users about the dangers of downloading software from untrusted websites.
• Employ browser security settings to block malicious websites and downloads.
• Utilize network monitoring to detect unusual outbound traffic to C2 servers.
• Deploy endpoint detection and response (EDR) solutions to identify and mitigate suspicious activity.
• Enable multi-factor authentication (MFA) to protect user accounts and prevent unauthorized access.
• Regularly back up critical data and ensure backups are stored securely.
• Conduct regular phishing awareness training for all employees.
• Monitor email systems for phishing campaigns and employ email filtering solutions.
• Utilize security information and event management (SIEM) tools to analyze and respond to security incidents.
• Review and strengthen incident response plans to handle potential malware and phishing attacks.