“Rapid7 observed that the websites were masquerading as Microsoft Teams websites, enticing users into believing they were downloading legitimate software when, in reality, they were downloading the threat actor’s malicious software,” said the report.

How the Malvertising Campaign Works

The modus operandi of this campaign involves luring users to malicious websites. The threat actors create typo-squatted sites that closely mimic legitimate platforms. For instance, users searching for Microsoft Teams might inadvertently land on a fake Microsoft Teams download page. These malicious websites host supposed software installers, enticing users to download and install the application.

Fake Installers

However, the catch lies in the content of these fake installers. When users download them, they unknowingly execute the Oyster backdoor. This stealthy piece of malware allows attackers to gain unauthorized access to compromised systems. 

Once the backdoor is in place, attackers can engage in hands-on keyboard activity, directly interacting with the compromised system. Furthermore, the Oyster backdoor can deploy additional payloads after execution, potentially leading to further compromise or data exfiltration.

Impact and Mitigation

The impact on users who fall victim to this malvertising campaign can be severe. They inadvertently install the Oyster backdoor on their systems, providing attackers with a foothold. From there, attackers can escalate privileges, steal sensitive information, or launch other attacks.

To reduce such risks, users should remain vigilant:

• Verify Sources: Always verify the legitimacy of software sources before downloading. Avoid third-party download sites and opt for official websites or trusted app stores.
• Security Software: Regularly update and use security software to detect and prevent malware infections.
• User Education: Educate users about the risks of malvertising and emphasize safe browsing practices.