Oyster (Backdoor) – Malware

Overview

In the evolving landscape of cyber threats, the Oyster backdoor, also known as Broomstick or CleanUpLoader, has emerged as a sophisticated and covert threat. First identified in September 2023 by IBM researchers, Oyster has since gained notoriety for its complex delivery methods and stealthy operational tactics. This malware family exploits the guise of legitimate software installers, specifically targeting popular applications like Microsoft Teams, to infiltrate systems and deploy its malicious payload. The Oyster backdoor is delivered through carefully crafted malvertising campaigns, which mislead users into downloading compromised installers from typo-squatted websites designed to mimic official sources. The primary component of the Oyster malware family, known as Oyster Main or CleanUpLoader, serves as a powerful backdoor, enabling attackers to maintain persistent access to compromised systems. Once executed, it initiates a series of sophisticated activities, including system enumeration and communication with hard-coded command-and-control (C2) servers. The backdoor’s ability to execute additional payloads and gather detailed information about the infected host underscores its potential for significant damage and data exfiltration. A recent analysis by Rapid7 reveals the technical intricacies of the Oyster backdoor, detailing its method of operation and the obfuscation techniques employed to evade detection. By masquerading as legitimate software, such as a Microsoft Teams installer, Oyster manages to avoid initial suspicion while performing its malicious tasks. The backdoor’s advanced features include the creation of scheduled tasks, encoded C2 communications, and the collection of system information, all of which contribute to its stealthy and persistent nature.

Targets

Information Individuals How they operate Initially, Oyster gains access to its target through targeted phishing campaigns or malicious software installers. These methods are designed to deceive users into executing seemingly benign programs, which actually contain the backdoor payload. Once the malware is executed, it installs itself silently in the background, leveraging techniques such as creating or modifying startup folder entries to ensure persistence. This tactic guarantees that Oyster remains active on the system even after a reboot, providing continued access for its operators. The malware’s execution is facilitated through a series of well-defined tactics. Oyster commonly uses malicious file execution, a technique categorized under Execution (Tactic ID: TA0002), to run its payload. This method allows the backdoor to be initiated whenever the compromised software is launched, blending in with legitimate system processes to avoid detection. By operating stealthily, Oyster can establish a robust foothold within the target environment, making it difficult for security measures to identify and remove it. Command and control (C2) is a critical component of Oyster’s operation. Once active, the backdoor communicates with its C2 servers over standard HTTP/HTTPS protocols (Technique ID: T1071.001), enabling a secure and encrypted channel for command transmission and data exfiltration. This communication is crucial for the malware’s functionality, as it allows attackers to issue instructions, receive data, and maintain control over the infected systems. The use of HTTPS for C2 activities further complicates detection efforts, as it masks the malware’s communications within legitimate web traffic. In addition to its persistence and C2 capabilities, Oyster is equipped to exfiltrate data from compromised systems. It utilizes the same command and control channel (Technique ID: T1041) to send stolen information back to the attackers, which can include sensitive files or system data. This exfiltration method ensures that valuable information is extracted discreetly, minimizing the risk of detection by traditional security tools. Furthermore, Oyster can employ data encryption techniques (Technique ID: T1486) to lock files and disrupt normal system operations, adding a layer of impact that can further coerce victims or hinder their ability to function effectively.

MITRE Tactics and Techniques

Initial Access (Tactic ID: TA0001): Phishing (Technique ID: T1566): Oyster is often distributed through phishing methods such as malvertising campaigns and fake software installers, tricking users into downloading and executing the malware. Execution (Tactic ID: TA0002): Execution through Malicious File (Technique ID: T1203): The backdoor is delivered via compromised installers that mimic legitimate software. When the user runs the installer, it executes the malicious payload embedded within. Persistence (Tactic ID: TA0003): Create or Modify Startup Folder (Technique ID: T1547.001): Oyster may create or modify startup folder entries to ensure it is executed automatically upon system reboot. Command and Control (Tactic ID: TA0011): Command and Control over HTTP/HTTPS (Technique ID: T1071.001): The backdoor communicates with its C2 servers using HTTP/HTTPS protocols, enabling it to receive instructions and exfiltrate data. Exfiltration (Tactic ID: TA0010): Exfiltration over Command and Control Channel (Technique ID: T1041): Oyster can exfiltrate data using the same channel it uses for command and control, making it harder to detect and block. Impact (Tactic ID: TA0040): Data Encrypted for Impact (Technique ID: T1486): In some cases, Oyster may encrypt files to prevent access and disrupt the normal operation of the victim’s system. References

• Malvertising Campaign Leads to Execution of Oyster Backdoor