Search engine users should be cautious about downloading Microsoft Teams, with the Rhysida ransomware group using fake ads to distribute malware.
Cybersecurity firm Expel said it has discovered an ongoing malicious ad campaign delivering a malware called OysterLoader, previously known as Broomstick and CleanUpLoader.
It's the group's second campaign to impersonate the workplace collaboration platform in the last eighteen months.
OysterLoader is an initial access tool (IAT) that, once downloaded, runs a backdoor to gain long-term access to the device and network.
"The current infection chain is built on a highly successful malvertising model. Threat actors buy Bing search engine advertisements to direct users to convincing-looking, but malicious landing pages," said Aaron Walton, threat intelligence analyst at Expel.
"These search engine ads put links to the download right in front of potential victims. The most recent campaigns push ads for Microsoft Teams and impersonate the download pages. However, they’ve also cycled through other popular software such as PuTTy and Zoom."
The group uses a packing tool that effectively hides the capabilities of the malware and results in a low static detection rate when the malware is first seen.
It also uses code-signing certificates, as used by genuine software publishers, to give its own malicious files a higher level of trust.
Notably, Walton said this helped Expel detect the campaign.
"The certificates they use regularly get revoked by the certificate’s issuer, so new instances of the malware with a valid certificate indicate a new run of the campaign," he said.
"On any given day the bad actors may use multiple certificates, but seeing their files with a new fresh certificate also helps us know they’re still active. These new certificates further indicate steady investment into their campaign."
Rhysida is ramping up attacks
Along with the OysterLoader malware, Rhysida is also using the Latrodectus malware to get initial access to networks, Expel warned, which was able to establish this when analyzing files for the purpose of building detection rules.
Rhysida ranks among one of the few cyber criminal groups to be leveraging Trusted Signing from Microsoft, the company’s own service for issuing code-signing certificates.
Attackers are using Trusted Signing certificates for both OysterLoader and Latrodectus and appear to have found a way round the built-in features designed to limit misuse.
Rhysida first appeared as Vice Society in 2021, but rebranded as Rhysida in 2023, and operates on a Ransomware as a Service (RaaS), double extortion model. Since 2023, the group has posted around 200 victims on its data leak site, including governments, healthcare organisations, and critical infrastructure industries.
Earlier this year, the group claimed responsibility for attacks on the Oregon Department of Environmental Quality, the Cookville Regional Medical Center in Tennessee, Kansas-based healthcare provider Sunflower Medical Group, and mental illness and addiction group the Community Care Alliance.
Elsewhere, the group also hit the Maryland Department of Transportation alongside an attack on the British Library.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- How hackers bypass MFA – and what to do about it
- Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workers
- Ransomware victims are refusing to play ball with hackers
-
Will businesses get lost in AI translation?In-depth Multilingual AI tools can now pick up the phone to customers – but the jury is out on whether they will and should replace humans
-
OpenAI and AWS sign bumper $38 billion cloud contractNews The move by OpenAI doesn’t signal an end to its long-running ties with Microsoft
-
CISA just published crucial new guidance on keeping Microsoft Exchange servers secureNews With a spate of attacks against Microsoft Exchange in recent years, CISA and the NSA have published crucial new guidance for organizations to shore up defenses.
-
CISA issues alert after botched Windows Server patch exposes critical flawNews A critical remote code execution flaw in Windows Server is being exploited in the wild, despite a previous 'fix'
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
Microsoft issues warning over “opportunistic” cyber criminals targeting big businessNews Microsoft has called on governments to do more to support organizations
-
The number of ransomware groups rockets as new, smaller players emergeNews The good news is that the number of victims remains steady
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
-
A terrifying Microsoft flaw could’ve allowed hackers to compromise ‘every Entra ID tenant in the world’News The Entra ID vulnerability could have allowed full access to virtually all Azure customer accounts
