Oyster Backdoor Propagation Through Trojanized Widely Used Software Downloads
An aggressive advertising campaign is exploiting trojanized installers for well-known applications like Google Chrome and Microsoft Teams to introduce a backdoor named Oyster (also known as Broomstick and CleanUpLoader).
This information comes from reports released by Rapid7, which discovered imitating websites hosting the harmful payloads that users are directed to after looking for them on search engines such as Google and Bing.
The individuals behind the threat are enticing gullible users to counterfeit websites claiming to offer genuine software. However, any attempt to download the setup file triggers a series of malware infections instead.
More specifically, the executable acts as a pathway for a backdoor called Oyster, capable of collecting data about the compromised device, communicating with a predefined command-and-control (C2) location, and facilitating remote code execution.
Even though Oyster has previously been spotted being distributed through a dedicated loader component known as Broomstick Loader (also known as Oyster Installer), the latest attack sequences involve the direct deployment of the backdoor. This malware has been linked with ITG23, a group connected to Russia responsible for the TrickBot malware.
The execution of the malware is followed by the installation of the legitimate Microsoft Teams software in an effort to maintain the deception and avoid raising suspicions. Rapid7 also noted the use of the malware to generate a PowerShell script tasked with establishing persistence on the device.
This revelation coincides with the discovery of a criminal group named Rogue Raticate (also known as RATicate) believed to be responsible for an email phishing campaign utilizing PDF decoys to entice users into clicking on a malicious URL and deliver NetSupport RAT.
“If a user is successfully deceived into clicking the URL, they will be led through a Traffic Distribution System (TDS) into the remainder of the chain, ultimately having the NetSupport Remote Access Tool installed on their device,” Symantec stated.
This development also aligns with the emergence of a new phishing-as-a-service (PhaaS) platform known as the ONNX Store that enables clients to orchestrate phishing campaigns using embedded QR codes in PDF attachments leading victims to credential harvesting pages.
The ONNX Store also offers Bulletproof hosting and RDP services through a Telegram bot and is believed to be a rebranded version of the Caffeine phishing kit, initially reported by Google-owned Mandiant in October 2022 and operated by an Arabic-speaking threat actor known as MRxC0DER.
In addition to utilizing Cloudflare’s anti-bot mechanisms to avoid detection by phishing website scanners, the URLs shared through the quishing campaigns contain encrypted JavaScript that gets decoded during page load to gather victims’ network metadata and transmit 2FA tokens.
“The ONNX Store incorporates a two-factor authentication (2FA) bypass system that intercepts [two-factor authentication] requests from victims,” stated Arda Büyükkaya, a researcher at EclecticIQ noted. “The phishing pages are designed to resemble authentic Microsoft 365 login interfaces, tricking targets into entering their authentication details.”
About Author
