Oyster Backdoor Spread via Fake Software Downloads

A malvertising campaign is exploiting trojanized installers of popular software like Google Chrome and Microsoft Teams to deploy a backdoor known as Oyster (also referred to as Broomstick or CleanUpLoader).

The researchers discovered that cybercriminals are creating lookalike websites hosting these malicious payloads. Users are redirected to these sites after searching for the software on search engines like Google and Bing. The fake websites appear to offer legitimate software downloads, but instead, users receive a malware infection.

The executable files downloaded from these sites serve as a delivery mechanism for the Oyster backdoor. This backdoor can gather information about the infected host, communicate with a hard-coded command-and-control (C2) server, and support remote code execution.

Previously, Oyster was distributed via a loader known as Broomstick Loader (or Oyster Installer). However, the latest attacks involve directly deploying the backdoor. The malware has been linked to ITG23, a Russia-associated group known for the TrickBot malware.

After executing the malware, the legitimate Microsoft Teams software is installed to maintain the appearance of authenticity and avoid detection. The malware spawns a PowerShell script to establish persistence on the infected system.

This disclosure follows reports of a cybercrime group called Rogue Raticate (aka RATicate) conducting an email phishing campaign. They use PDF decoys to lure users into clicking a malicious URL, leading to the deployment of the NetSupport RAT.

If a user clicks on the malicious URL, they are led through a Traffic Distribution System (TDS) that eventually deploys the NetSupport Remote Access Tool on their machine.

This development coincides with the emergence of a new phishing-as-a-service (PhaaS) platform called the ONNX Store. This platform allows users to orchestrate phishing campaigns using QR codes in PDF attachments to lead victims to credential-harvesting pages.

The ONNX Store, which also provides Bulletproof hosting and RDP services via a Telegram bot, is believed to be a rebranded version of the Caffeine phishing kit first documented by Google-owned Mandiant in October 2022. The service is maintained by an Arabic-speaking threat actor named MRxC0DER.

The URLs used in these phishing campaigns are embedded with encrypted JavaScript, decoded during page load to collect victims’ network metadata and relay 2FA tokens. The ONNX Store has a two-factor authentication (2FA) bypass mechanism that intercepts 2FA requests from victims. The phishing pages closely mimic real Microsoft 365 login interfaces, tricking targets into entering their authentication details.

To avoid falling victim to malware like the Oyster backdoor, always download software from official websites or trusted sources. Be cautious of lookalike websites and verify URLs before downloading. Use comprehensive security software that can detect and block malicious downloads.