Microsoft has disrupted a Vanilla Tempest campaign that targeted the deployment of Rhysida ransomware by revoking over 200 stolen certificates. The operation involved fake Microsoft Teams installers and the deployment of a backdoor called Oyster, which facilitated ransomware attacks. #VanillaTempest #Rhysida #OysterBackdoor
Keypoints
- Vanilla Tempest, also known as Vice Spider and Vice Society, primarily targets education and healthcare sectors.
- Microsoft disrupted the campaign by revoking over 200 certificates used to sign malware and fake installers.
- The group distributed fake Teams setup files through SEO poisoning on malicious websites.
- The fake installers contained a loader that downloaded a signed backdoor named Oyster.
- The threat actors used trusted signing services like DigiCert and GlobalSign to make their malware appear legitimate.
Read More: https://www.securityweek.com/microsoft-revokes-over-200-certificates-to-disrupt-ransomware-campaign/