In a recent analysis by Rapid7, a new malvertising campaign has emerged that exploits trojanized installers for widely used software like Google Chrome and Microsoft Teams to deploy a backdoor known as Oyster. This malicious software, which is also referred to as Broomstick and CleanUpLoader, poses significant risks to unsuspecting users seeking legitimate applications.
This campaign directs users to counterfeit websites disguised as platforms for downloading popular software. However, when users attempt to download the supposed installer, they inadvertently trigger a chain of malware infections instead. The method employed leverages the convenience of search engines like Google and Bing, with threat actors crafting lookalike websites that host these malicious payloads.
Upon execution, the installer not only compromises the host system but also facilitates communication with a hard-coded command-and-control (C2) server, enabling remote code execution and data collection from the infected machine. The tactics used in this attack align with several methods outlined in the MITRE ATT&CK Matrix, particularly those related to initial access and persistence. The deployment is characterized by straightforward exploitation techniques that end in unauthorized software installation, further burying the presence of the malicious payload.
Interestingly, the usage of the Oyster backdoor in this attack represents a shift in tactics from earlier instances where it was delivered by a specific loader component. Attackers are now employing more direct methods for installation, reflecting an evolution in their approach. Current assessments suggest that this malware may be linked to the Russia-based ITG23 group, which has a history of association with the notorious TrickBot malware.
In a deceptive move, the malware execution is disguised by simultaneously installing the legitimate Microsoft Teams software, minimizing the chances of detection by the user and maintaining the guise of normalcy. The added capability to generate a PowerShell script indicates an effort to establish persistence on the compromised system, enhancing the attack’s effectiveness over time.
This discovery coincides with activities attributed to a cybercrime group known as Rogue Raticate, which is spotlighted for its phishing campaigns that utilize PDF decoys to lure users into clicking on malicious links, ultimately leading to the deployment of the NetSupport Remote Access Tool (RAT). Such tactics indicate a broadening of strategy among cybercriminals, showcasing their capacity to exploit various vectors for infiltration.
Furthermore, the rise of new phishing-as-a-service (PhaaS) platforms, exemplified by the ONNX Store, demonstrates the evolving landscape of cyber threats. This platform allows attackers to orchestrate phishing campaigns using embedded QR codes in PDF attachments, further facilitating credential harvesting through misleading interfaces designed to replicate legitimate login pages.
The ONNX Store reportedly uses advanced evasion techniques, including embedding encrypted JavaScript aimed at circumventing phishing detection. This intricate design enhances the attackers’ ability to capture network metadata and intercept two-factor authentication tokens, adding another layer of sophistication to their operations.
These developments underscore the imperative for business owners to remain vigilant against emerging cybersecurity threats. Understanding the tactics employed in these attacks through the lens of frameworks like MITRE ATT&CK can significantly aid in defenses against such sophisticated methods of infiltration. As cybercriminals continuously refine their strategies, proactive measures and cybersecurity awareness become paramount in safeguarding sensitive information.
