A notorious ransomware group is spreading fake Microsoft Teams ads to snare victims

The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities

Emma Woollacott's avatar
By
published
in News
Microsoft Teams app for macOS pictured on a MacBook device screen.
(Image credit: Getty Images)

Search engine users should be cautious about downloading Microsoft Teams, with the Rhysida ransomware group using fake ads to distribute malware.

Cybersecurity firm Expel said it has discovered an ongoing malicious ad campaign delivering a malware called OysterLoader, previously known as Broomstick and CleanUpLoader.

It's the group's second campaign to impersonate the workplace collaboration platform in the last eighteen months.

OysterLoader is an initial access tool (IAT) that, once downloaded, runs a backdoor to gain long-term access to the device and network.

"The current infection chain is built on a highly successful malvertising model. Threat actors buy Bing search engine advertisements to direct users to convincing-looking, but malicious landing pages," said Aaron Walton, threat intelligence analyst at Expel.

"These search engine ads put links to the download right in front of potential victims. The most recent campaigns push ads for Microsoft Teams and impersonate the download pages. However, they’ve also cycled through other popular software such as PuTTy and Zoom."

The group uses a packing tool that effectively hides the capabilities of the malware and results in a low static detection rate when the malware is first seen.

It also uses code-signing certificates, as used by genuine software publishers, to give its own malicious files a higher level of trust.

Notably, Walton said this helped Expel detect the campaign.

"The certificates they use regularly get revoked by the certificate’s issuer, so new instances of the malware with a valid certificate indicate a new run of the campaign," he said.

"On any given day the bad actors may use multiple certificates, but seeing their files with a new fresh certificate also helps us know they’re still active. These new certificates further indicate steady investment into their campaign."

Rhysida is ramping up attacks

Along with the OysterLoader malware, Rhysida is also using the Latrodectus malware to get initial access to networks, Expel warned, which was able to establish this when analyzing files for the purpose of building detection rules.

Rhysida ranks among one of the few cyber criminal groups to be leveraging Trusted Signing from Microsoft, the company’s own service for issuing code-signing certificates.

Attackers are using Trusted Signing certificates for both OysterLoader and Latrodectus and appear to have found a way round the built-in features designed to limit misuse.

Rhysida first appeared as Vice Society in 2021, but rebranded as Rhysida in 2023, and operates on a Ransomware as a Service (RaaS), double extortion model. Since 2023, the group has posted around 200 victims on its data leak site, including governments, healthcare organisations, and critical infrastructure industries.

Earlier this year, the group claimed responsibility for attacks on the Oregon Department of Environmental Quality, the Cookville Regional Medical Center in Tennessee, Kansas-based healthcare provider Sunflower Medical Group, and mental illness and addiction group the Community Care Alliance.

Elsewhere, the group also hit the Maryland Department of Transportation alongside an attack on the British Library.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott
Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.

Latest
You might also like
View More ▸