Threat actors are using a technique called malvertising to distribute malware. They create fake websites that impersonate popular IT tools like Microsoft Teams and then use search engine ads and SEO poisoning to push these fraudulent sites to the top of search results. When a user searches for a term like “Teams download,” they are led to a malicious site that appears legitimate. This site then prompts the user to download an installer file with the same name as the official Microsoft Teams installer.
When a user downloads and executes the fake installer, it drops a malicious file called CaptureService.dll onto their device. This file is the Oyster backdoor and gives the attacker remote access to the infected system. The malicious installer also creates a scheduled task to ensure the backdoor runs every 11 minutes, which allows the malware to remain active even after the computer is rebooted.
The hackers are taking steps to make the malicious installer appear legitimate, including using code-signed certificates from seemingly trustworthy organizations. This adds a layer of deception and makes it more difficult for users to identify the file as malicious.
This campaign is not new; it’s part of a growing trend where hackers use SEO poisoning and malvertising to deliver commodity backdoors by impersonating trusted software. Previous campaigns have impersonated Google Chrome, PuTTY, and WinSCP, among others. These attacks highlight how threat actors exploit user trust in search results and well-known brands to breach corporate networks.
These campaigns also highlight the increasing targeting of IT administrators, who often have credentials with high privileges. To protect against these threats, it is crucial for users, especially IT administrators, to only download software from verified and official domains and to avoid clicking on search engine advertisements for software downloads.
Reference:
