A malvertising campaign recently discovered by Rapid7 has been leveraging trojanized installers for popular software such as Google Chrome and Microsoft Teams to distribute the Oyster backdoor. This campaign involves redirecting users from legitimate search engine results to lookalike websites hosting malicious payloads. These sites falsely claim to offer authentic software downloads, but instead initiate a chain of malware infections upon attempted installation.
The malicious executable downloaded from these sites serves as a gateway for deploying the Oyster backdoor, capable of gathering system information, communicating with a command-and-control server, and supporting remote code execution. Previously associated with the Broomstick Loader, this campaign marks a shift towards direct deployment of the Oyster malware. It’s linked to ITG23, a cybercrime group known for activities like distributing TrickBot malware.
To evade detection, after infecting a system with Oyster, the campaign also installs legitimate software like Microsoft Teams to mask its malicious activities. Additionally, the malware sets up persistence through a PowerShell script, ensuring long-term access to compromised systems. This revelation highlights the growing sophistication of cyber threats and emphasizes the critical need for vigilance and robust cybersecurity practices to mitigate such risks effectively.
Reference:
