Hackers have been identified using SEO poisoning and search engine advertisements to promote fake Microsoft Teams installers that infect Windows devices with the Oyster backdoor, providing initial access to corporate networks. The Oyster malware, also known as Broomstick and CleanUpLoader, is a backdoor that first appeared in mid-2023 and has since been linked to multiple campaigns. The malware grants attackers remote access to infected devices, enabling them to execute commands, deploy additional payloads, and transfer files. Oyster is commonly spread through malvertising campaigns that impersonate popular IT tools, such as Putty and WinSCP. Ransomware operations, such as Rhysida, have also utilized malware to breach corporate networks.[1]
In a new malvertising and SEO poisoning campaign spotted by Blackpoint SOC, threat actors are promoting a fake site that appears when visitors search for "Teams download." While the ads and domain do not spoof Microsoft's domain, they lead to a website at teams-install[.]top that impersonates Microsoft's Teams download site. Clicking on the download link would download a file called "MSTeamsSetup.exe," which is the same filename used by the official Microsoft download.
The malicious MSTeamsSetup.exe [VirusTotal] was code-signed with certificates from "4th State Oy" and "NRM NETWORK RISK MANAGEMENT INC" to add legitimacy to the file. When executed, the fake installer dropped a malicious DLL named CaptureService.dll [VirusTotal] into the %APPDATA%\Roaming folder. For persistence, the installer creates a scheduled task named "CaptureService" to execute the DLL every 11 minutes, ensuring the backdoor remains active even on reboots.
This activity resembles previous fake Google Chrome and Microsoft Teams installers that pushed Oyster, highlighting how SEO poisoning and malvertising remain a popular tactic for breaching corporate networks. "This activity highlights the continued abuse of SEO poisoning and malicious advertisements to deliver commodity backdoors under the guise of trusted software," concludes Blackpoint. "Much like the fake PuTTY campaigns observed earlier this year, threat actors are exploiting user trust in search results and well-known brands to gain initial access."
As IT admins are a popular target for gaining access to credentials with high privileges, they are advised only to download software from verified domains and to avoid clicking on search engine advertisements.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-installers-push-oyster-malware-via-malvertising/
Comments