Hackers have been spotted using SEO poisoning and search engine advertisements to promote fake Microsoft Teams installers that infect Windows devices with the Oyster backdoor, providing initial access to corporate networks.
The Oyster malware, also known as Broomstick and CleanUpLoader, is a backdoor that first appeared in mid-2023 and has since been linked to multiple campaigns. The malware provides attackers with remote access to infected devices, allowing them to execute commands, deploy additional payloads, and transfer files.
Oyster is commonly spread through malvertising campaigns that impersonate popular IT tools, such as Putty and WinSCP. Ransomware operations, like Rhysida, have also utilized the malware to breach corporate networks.
Fake Microsoft Teams installer pushes malware
In a new malvertising and SEO poisoning campaign spotted by Blackpoint SOC, threat actors are promoting a fake site that appears when visitors search for "Teams download."
Malicious Microsoft Teams download site in Bing
Source: Blackpoint
While the ads and domain do not spoof Microsoft's domain, they lead to a website at teams-install[.]top that impersonates Microsoft's Teams download site. Clicking on the download link would download a file called "MSTeamsSetup.exe," which is the same filename used by the official Microsoft download.
Fake Microsoft Teams site pushing Oyster malware installer
Source: Blackpoint
... continue reading