A notorious ransomware group is spreading fake Microsoft Teams ads to snare victims
The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
Search engine users should be cautious about downloading Microsoft Teams, with the Rhysida ransomware group using fake ads to distribute malware.
Cybersecurity firm Expel said it has discovered an ongoing malicious ad campaign delivering a malware called OysterLoader, previously known as Broomstick and CleanUpLoader.
It's the group's second campaign to impersonate the workplace collaboration platform in the last eighteen months.
OysterLoader is an initial access tool (IAT) that, once downloaded, runs a backdoor to gain long-term access to the device and network.
"The current infection chain is built on a highly successful malvertising model. Threat actors buy Bing search engine advertisements to direct users to convincing-looking, but malicious landing pages," said Aaron Walton, threat intelligence analyst at Expel.
"These search engine ads put links to the download right in front of potential victims. The most recent campaigns push ads for Microsoft Teams and impersonate the download pages. However, they’ve also cycled through other popular software such as PuTTy and Zoom."
The group uses a packing tool that effectively hides the capabilities of the malware and results in a low static detection rate when the malware is first seen.
It also uses code-signing certificates, as used by genuine software publishers, to give its own malicious files a higher level of trust.
Notably, Walton said this helped Expel detect the campaign.
"The certificates they use regularly get revoked by the certificate’s issuer, so new instances of the malware with a valid certificate indicate a new run of the campaign," he said.
"On any given day the bad actors may use multiple certificates, but seeing their files with a new fresh certificate also helps us know they’re still active. These new certificates further indicate steady investment into their campaign."
Rhysida is ramping up attacks
Along with the OysterLoader malware, Rhysida is also using the Latrodectus malware to get initial access to networks, Expel warned, which was able to establish this when analyzing files for the purpose of building detection rules.
Rhysida ranks among one of the few cyber criminal groups to be leveraging Trusted Signing from Microsoft, the company’s own service for issuing code-signing certificates.
Attackers are using Trusted Signing certificates for both OysterLoader and Latrodectus and appear to have found a way round the built-in features designed to limit misuse.
Rhysida first appeared as Vice Society in 2021, but rebranded as Rhysida in 2023, and operates on a Ransomware as a Service (RaaS), double extortion model. Since 2023, the group has posted around 200 victims on its data leak site, including governments, healthcare organisations, and critical infrastructure industries.
Earlier this year, the group claimed responsibility for attacks on the Oregon Department of Environmental Quality, the Cookville Regional Medical Center in Tennessee, Kansas-based healthcare provider Sunflower Medical Group, and mental illness and addiction group the Community Care Alliance.
Elsewhere, the group also hit the Maryland Department of Transportation alongside an attack on the British Library.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- How hackers bypass MFA – and what to do about it
- Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workers
- Ransomware victims are refusing to play ball with hackers
-
UK launches national body to develop quantum standardsNews The Quantum Standards Network will work to align standardization across sectors and strengthen the UK's global presence
-
Gartner warns that demand for AI skills across supply chains is outpacing talent availabilityNews The analyst firm reveals that demand for supply chain roles requiring AI expertise has surged by 387% since early 2023
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
New ransomware threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacksNews NTT researchers warn that the RaaS group is leveraging SystemBC malware to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Beware of emails threatening a code of conduct review
News A widespread phishing campaign has targeted tens of thousands of employees
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation
-
Security leaders overconfident about ransomware recovery
News Few manage to recover all their data, and many experience business disruption
