Microsoft successfully halted Rhysida ransomware campaigns by revoking over 200 malicious certificates used to sign fake Teams installers. The attacks employed domains mimicking Microsoft Teams to distribute Oyster malware, allowing threat actors remote access and data theft. #Rhysida #OysterMalware
Keypoints
- Vanilla Tempest, also known as Vice Society, targeted organizations using fake Microsoft Teams sites to spread malware.
- The threat group employed malvertising and SEO poisoning to promote fake Teams installers downloading Oyster backdoor malware.
- The malicious installers used signed certificates to bypass security measures and deploy payloads like Oyster malware.
- Oyster malware has been used since mid-2023 in various attacks, often via impersonation of IT tools or trusted websites.
- Vanilla Tempest focuses on ransomware deployment, exfiltration, and has targeted sectors including education, healthcare, and manufacturing.