Rhysida deployed a new Oyster backdoor variant (Broomstick) to deliver ransomware in a July 10, 2024 attack, targeting a private school. The campaign leveraged malvertising and SEO poisoning to install the Oyster backdoor, then used stolen SSH credentials to pivot to NAS devices and VMware hypervisors before encrypting data and local backups. #Rhysida #OysterBackdoor
Keypoints
- Rhysida used a new Oyster backdoor variant (Broomstick) in a July 10, 2024 attack on a private school.
- The Oyster backdoor campaign built on a Rapid7-discovered SEO-poisoned, malvertising-based delivery that masquerades installers as legitimate apps (e.g., Chrome, Teams).
- The backdoor communicates with a C2 server at codeforprofessionalusers[.]com, and endpoints made outbound connections to Rhysida C2 infrastructure (e.g., 173.46.80.206).
- Input capture (T1056) enabled theft of administrative credentials for the clients’ hypervisors, with specific DLL tasks and directories identified.
- Attackers used stolen SSH credentials to access NAS devices and VMware hypervisors, bypassing real-time protections and expanding access.
- Ransomware encrypted VMDK files on the hypervisor and NAS data, including local backups, necessitating offsite backups for recovery.
- Preventive guidance includes patching internet-facing systems, disabling remote access, deploying EDR/MDR, network segmentation, and offline backups.
MITRE Techniques
- [T1056] Input Capture – Used to steal administrative credentials to the clients’ hypervisors. “Input capture (T1056), which enabled the theft of administrative credentials to the clients’ hypervisors.”
- [T1021.004] SSH – Remote Services – Used stolen SSH credentials to access NAS devices and VMware hypervisors. “Using stolen SSH credentials, attackers accessed NAS devices and VMware hypervisors.”
- [T1071.001] Web Protocols – Web-based C2 communications observed via outbound connections to the C2 domain. “The infected endpoints exhibited numerous outbound web connections to known Rhysida C2 servers, including 173.46.80[.]206.”
- [T1189] Drive-by Compromise – Initial access via malvertising delivering the Oyster backdoor. “originating from a malicious IP scanner distributed via malvertising.”
- [T1053.005] Scheduled Task – Persistence/Execution via Windows Task Scheduler (System32TasksOppCleanTp executing CleanUp.dll). “Task: {59B44DEF-E91D-491A-97D8-1F48D6A5F961} – System32TasksOppCleanTp executing CleanUp.dll”
- [T1486] Data Encrypted for Impact – Ransomware encrypted VMDK files and local backups. “The ransomware encrypted VMDK files on the hypervisor and potentially other critical data on the NAS devices. The attackers also encrypted local backups.”
Indicators of Compromise
- [File Hash] SHA-256 – 0a7fd836d36ed8e8e9aa7bc41fdc9242333e8469059dec8886b7d935f3651679
- [Domain] codeforprofessionalusers.com – C2 domain referenced by Oyster backdoor
- [IP Address] 173.46.80.206 – outbound connections to known Rhysida C2 infrastructure
- [File/Directory] C:Users[REDACTED]AppDataRoamingIwJnK, C:Users[REDACTED]AppDataRoamingZBrAO, C:WINDOWSsystem32TasksOppCleanTp, C:Users[REDACTED]AppDataLocalTempCleanUp.dll – paths observed in the malware activity
Read more: https://www.threatdown.com/blog/rhysida-using-oyster-backdoor-to-deliver-ransomware/