Threat Research

Oyster Backdoor Executed Following Malvertising Campaign

Rapid7

Rapid7 documents a malvertising campaign that lures users into downloading fake installers for popular software to drop the Oyster backdoor (aka Broomstick). The post details the delivery chain, backdoor components, C2 behavior, and detection/mitigation guidance, along with a Python tool to extract obfuscated config. #Oyster #Broomstick

Keypoints

  • Rapid7 observed a malvertising campaign that entices users to download fake installers for software such as Google Chrome and Microsoft Teams, which drop the Oyster backdoor.
  • Initial access occurs via typo-squatted domains (e.g., micrsoft-teams-download[.]com) leading to the download of MSTeamsSetup_c_l_.exe signed to a legitimate-sounding cert.
  • Oyster/Broomstick is a loader/backdoor family that can perform information gathering, C2 communication, and remote code execution, with Oyster Main often delivered without the installer.
  • Dropper and persistence involve dropping CleanUp30.dll, creating a scheduled task (ClearMngs) to run it via rundll32.exe, and using a mutex to avoid multiple instances.
  • The malware decodes and uses hard-coded C2 addresses, fingerprinting the host (OS, user, domain, etc.), and communicates with C2 domains such as whereverhomebe[.]com, supfoundrysettlers[.]us, and retdirectyourman[.]eu.
  • Follow-on activity includes a PowerShell script creating a startup LNK to run CleanUp.dll, and additional payloads (k1.ps1, main.dll, getresult.exe) observed in some incidents.

MITRE Techniques

  • [T1583.001] Acquire Infrastructure: Domains – Threat Actor set up typo-squatted domain micrsoft-teams-download[.]com in order to aid in the delivery of the executable MSTeamsSetup_c_l_.exe. ‘Threat Actor set up typo-squatted domain micrsoft-teams-download[.]com in order to aid in the delivery of the executable MSTeamsSetup_c_l_.exe’
  • [T1059.001] PowerShell – Used to create .lnk file DiskCleanUp.lnk and execute the PowerShell payload k1.ps1. ‘Used to create .lnk file DiskCleanUp.lnk and execute the PowerShell payload k1.ps1’
  • [T1204.002] User Execution – User executes the binary MSTeamsSetup_c_l_.exe. ‘User executes the binary MSTeamsSetup_c_l_.exe’
  • [T1053.005] Scheduled Task – CleanUp30.DLL and CleanUp.DLL create scheduled task ClearMngs. ‘schtasks.exe /create /tn ClearMngs /tr “rundll32 ‘<location of binary>CleanUp30.dll’,Test” /sc hourly /mo 3 /f’
  • [T1036.005] Masquerading: Match Legitimate Name or Location – MSTeamsSetup_c_l_.exe masquerades as legitimate Microsoft Teams installer. ‘masquerades as legitimate Microsoft Teams installer’
  • [T1497.003] Time Based Evading – Execution delays are performed by several stages throughout the attack flow. ‘Time Based Evasion’
  • [T1005] Data from Local System – Threat Actors enumerated information about compromised hosts using the backdoor CleanUp DLL’s. ‘Data from Local System’
  • [T1132.002] Data Encoding – Non Standard Encoding – CleanUp DLL’s send encoded data to C2’s using unique encoding function. ‘Data Encoding – Non Standard Encoding’

Indicators of Compromise

  • [File] TMSSetup.exe – 9601f3921c2cd270b6da0ba265c06bae94fd7d4dc512e8cb82718eaa24accc43 – The malicious executable downloaded from prodfindfeatures[.]com/
  • [File] MSTeamsSetup_c_l_.exe – 574C70E84ECDAD901385A1EBF38F2EE74C446034E97C33949B52F3A2FDDCD822 – The malicious executable downloaded from prodfindfeatures[.]com/
  • [File] CleanUp30.dll – CFC2FE7236DA1609B0DB1B2981CA318BFD5FBBB65C945B5F26DF26D9F948CBB4 – The .dll file that is run by run32dll.exe following the execution of MSTeamsSetup_c_l_.exe
  • [File] CleanUp.dll – 82B246D8E6FFBA1ABAFFBD386470C45CEF8383AD19394C7C0622C9E62128CB94 – The .dll file that is run by run32dll.exe following the execution of TMSSetup.exe
  • [File] DiskCleanUp.lnk – b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa – An .lnk file created after CleanUp30.dll execution
  • [Domain] prodfindfeatures[.]com/ – – The domain hosting the malicious files TMSSetup (1).exe and MSTeamsSetup_c_l_.exe
  • [Domain] micrsoft-teams-download[.]com/ – – The typo-squatted domain that users visited
  • [Domain] impresoralaser[.]pro/ – – Part of the domain redirect chain for downloads
  • [Domain] whereverhomebe[.]com/ – – Domain that CleanUp30.dll and CleanUp.dll attempts to communicate with
  • [Domain] supfoundrysettlers[.]us/ – – Domain that CleanUp30.dll and CleanUp.dll attempts to communicate with
  • [Domain] retdirectyourman[.]eu/ – – Domain that CleanUp30.dll and CleanUp.dll attempts to communicate with
  • [IP] 149.248.79[.]62 – Resolving IP for whereverhomebe[.]com/
  • [IP] 64.95.10[.]243 – Resolving IP for supfoundrysettlers[.]us/
  • [IP] 206.166.251[.]114 – Resolving IP for retdirectyourman[.]eu/

Read more: https://blog.rapid7.com/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint