Cybersecurity researchers at Arctic Wolf have uncovered a sophisticated malicious campaign employing SEO-optimized fake landing pages to deploy a potent malware loader known as Oyster, also referred to as Broomstick or CleanUpLoader. Threat actors meticulously crafted numerous landing pages that are nearly identical in appearance to the legitimate websites for PuTTY and WinSCP, two widely used Windows tools for secure remote server connections. This deceptive strategy targets professionals in IT, cybersecurity, and web development who commonly search for these tools on Google, luring them into downloading malicious software from seemingly trustworthy sources.
The effectiveness of this campaign lies in its subtlety.
When a user lands on one of these fake pages, nothing immediately raises suspicion, and the downloaded tool functions as expected. However, unbeknownst to the user, this process also delivers the Oyster malware. Upon execution, Oyster installs a persistent backdoor, establishing a scheduled task that runs every three minutes and executes a malicious DLL (twain_96.dll) to maintain its presence on the compromised system. This clever persistence mechanism ensures that the malware remains active and difficult to remove.
Oyster itself is a stealthy malware loader designed to deliver additional malicious payloads onto infected Windows systems, often as part of more complex multi-stage attacks. It employs various evasion techniques, including process injection, string obfuscation, and command-and-control communication via HTTPS, all aimed at eluding detection by security software. Its primary function is to serve as a gateway for further malicious activities, allowing the attackers to deploy other malware or gain deeper access to the compromised system.
Arctic Wolf identified several fake website domains used in these attacks, including updaterputty[.]com, zephyrhype[.]com, putty[.]run, putty[.]bet, and puttyy[.]org. While the observed campaign primarily involved Trojanized versions of PuTTY and WinSCP, Arctic Wolf cautions that other popular software tools might also be exploited in a similar manner. This suggests a broader strategy by the threat actors to target a wider range of commonly used applications.
Given the deceptive nature of this campaign, IT professionals are strongly advised to exercise extreme caution when downloading software.
The best practice is to always obtain software directly from trusted and official sources, rather than relying on search engine results and clicking the top links. Manually typing in the official website address is a crucial step in mitigating the risk of falling victim to such SEO poisoning and software spoofing attacks.
Reference: