Oyster Backdoor Distributed via Malicious Software Downloads

Summary:

An elaborate malvertising campaign is targeting users downloading popular software like Google Chrome and Microsoft Teams. Attackers exploit typo-squatted domains and deceptive ads to trick users into downloading malicious installers, which deploy the dangerous Oyster backdoor, also known as Broomstick.

The attack begins with malicious ads on search engines like Google and Bing, redirecting users to fake download pages. Once users download and execute the malicious installers, such as MSTeamsSetup_cl.exe, a loader disguised as legitimate software drops the Oyster Main component. This component conducts system reconnaissance, communicates with command-and-control (C2) servers, and enables remote code execution.

Key malware components include CleanUp30.dll, which ensures persistence and prevents multiple instances from running. It also collects and sends extensive system information to C2 servers using the Boost.Beast library. Post-infection activities involve PowerShell scripts establishing persistence and executing additional payloads for long-term control.

Cybersecurity experts recommend users download software only from official vendor sites and that organizations deploy advanced endpoint detection solutions to monitor suspicious activities.