Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Oyster (Backdoor) – Malware

June 17, 2024
Reading Time: 4 mins read
in Malware
Oyster (Backdoor) – Malware

Oyster

Type of Malware

Backdoor

Country of Origin

Unknown

Date of initial activity

2023

Targeted Countries

Global

Addittional Names

CLEANBOOST
CleanUp
CleanUpLoader
BROOMSTICK

Motivation

Financial Gain

Attack Vectors

Phishing
Web browsing

Targeted Systems

Windows

Overview

In the evolving landscape of cyber threats, the Oyster backdoor, also known as Broomstick or CleanUpLoader, has emerged as a sophisticated and covert threat. First identified in September 2023 by IBM researchers, Oyster has since gained notoriety for its complex delivery methods and stealthy operational tactics. This malware family exploits the guise of legitimate software installers, specifically targeting popular applications like Microsoft Teams, to infiltrate systems and deploy its malicious payload. The Oyster backdoor is delivered through carefully crafted malvertising campaigns, which mislead users into downloading compromised installers from typo-squatted websites designed to mimic official sources. The primary component of the Oyster malware family, known as Oyster Main or CleanUpLoader, serves as a powerful backdoor, enabling attackers to maintain persistent access to compromised systems. Once executed, it initiates a series of sophisticated activities, including system enumeration and communication with hard-coded command-and-control (C2) servers. The backdoor’s ability to execute additional payloads and gather detailed information about the infected host underscores its potential for significant damage and data exfiltration. A recent analysis by Rapid7 reveals the technical intricacies of the Oyster backdoor, detailing its method of operation and the obfuscation techniques employed to evade detection. By masquerading as legitimate software, such as a Microsoft Teams installer, Oyster manages to avoid initial suspicion while performing its malicious tasks. The backdoor’s advanced features include the creation of scheduled tasks, encoded C2 communications, and the collection of system information, all of which contribute to its stealthy and persistent nature.

Targets

Information Individuals How they operate Initially, Oyster gains access to its target through targeted phishing campaigns or malicious software installers. These methods are designed to deceive users into executing seemingly benign programs, which actually contain the backdoor payload. Once the malware is executed, it installs itself silently in the background, leveraging techniques such as creating or modifying startup folder entries to ensure persistence. This tactic guarantees that Oyster remains active on the system even after a reboot, providing continued access for its operators. The malware’s execution is facilitated through a series of well-defined tactics. Oyster commonly uses malicious file execution, a technique categorized under Execution (Tactic ID: TA0002), to run its payload. This method allows the backdoor to be initiated whenever the compromised software is launched, blending in with legitimate system processes to avoid detection. By operating stealthily, Oyster can establish a robust foothold within the target environment, making it difficult for security measures to identify and remove it. Command and control (C2) is a critical component of Oyster’s operation. Once active, the backdoor communicates with its C2 servers over standard HTTP/HTTPS protocols (Technique ID: T1071.001), enabling a secure and encrypted channel for command transmission and data exfiltration. This communication is crucial for the malware’s functionality, as it allows attackers to issue instructions, receive data, and maintain control over the infected systems. The use of HTTPS for C2 activities further complicates detection efforts, as it masks the malware’s communications within legitimate web traffic. In addition to its persistence and C2 capabilities, Oyster is equipped to exfiltrate data from compromised systems. It utilizes the same command and control channel (Technique ID: T1041) to send stolen information back to the attackers, which can include sensitive files or system data. This exfiltration method ensures that valuable information is extracted discreetly, minimizing the risk of detection by traditional security tools. Furthermore, Oyster can employ data encryption techniques (Technique ID: T1486) to lock files and disrupt normal system operations, adding a layer of impact that can further coerce victims or hinder their ability to function effectively.

MITRE Tactics and Techniques

Initial Access (Tactic ID: TA0001): Phishing (Technique ID: T1566): Oyster is often distributed through phishing methods such as malvertising campaigns and fake software installers, tricking users into downloading and executing the malware. Execution (Tactic ID: TA0002): Execution through Malicious File (Technique ID: T1203): The backdoor is delivered via compromised installers that mimic legitimate software. When the user runs the installer, it executes the malicious payload embedded within. Persistence (Tactic ID: TA0003): Create or Modify Startup Folder (Technique ID: T1547.001): Oyster may create or modify startup folder entries to ensure it is executed automatically upon system reboot. Command and Control (Tactic ID: TA0011): Command and Control over HTTP/HTTPS (Technique ID: T1071.001): The backdoor communicates with its C2 servers using HTTP/HTTPS protocols, enabling it to receive instructions and exfiltrate data. Exfiltration (Tactic ID: TA0010): Exfiltration over Command and Control Channel (Technique ID: T1041): Oyster can exfiltrate data using the same channel it uses for command and control, making it harder to detect and block. Impact (Tactic ID: TA0040): Data Encrypted for Impact (Technique ID: T1486): In some cases, Oyster may encrypt files to prevent access and disrupt the normal operation of the victim’s system. References
  • Malvertising Campaign Leads to Execution of Oyster Backdoor
Tags: BackdoorCyber threatsMalwareMicrosoft Teams
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Venom Spiders More Eggs Malware Hits Hiring

Hazy Hawk Hijacks Cloud DNS For Web Scams

Fake Kling AI Sites Spread Malware To Users

Subscribe to our newsletter

    Latest Incidents

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    UK Peter Green Chilled Hit By Ransomware

    Cellcom Cyberattack Causes Service Outage

    Ohio Kettering Health Faces Cyberattack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial