Hackers have used SEO poisoning and search engine advertisements to promote fake Microsoft Teams installers that install the Oyster backdoor on Windows devices, researchers reported. The activity was observed by Blackpoint SOC, according to the article.
Oyster, also tracked as Broomstick and CleanUpLoader, first appeared in mid-2023 and has been linked to multiple campaigns. The backdoor gives operators remote access to infected machines to execute commands, deploy additional payloads and transfer files, the article said. It has been commonly spread through malvertising campaigns that impersonate popular IT tools, according to an analysis shared by spread through malvertising campaigns, and has been used by ransomware operations, including examples tied to groups like Rhysida.
In the campaign highlighted by Blackpoint, ads and search results for “Teams download” pointed users to a site identified as teams-install.top that mimicked a Teams download page. Clicking the download link delivered a file named ‘MSTeamsSetup.exe’, the same filename used by the official Microsoft installer, and the sample has been submitted to VirusTotal for analysis at VirusTotal, the article said.
When run, the fake installer dropped a DLL called ‘CaptureService.dll’ into the %APPDATA%\Roaming folder and created a scheduled task named ‘CaptureService’ to execute the DLL every 11 minutes for persistence, the article reported. The DLL sample has also been submitted to VirusTotal.
Researchers said the campaign resembles earlier fake Chrome and Microsoft Teams installers that delivered Oyster, as documented by others in the security community at previous fake Google Chrome and Microsoft Teams installers. Blackpoint concluded the activity highlights the continued abuse of SEO poisoning and malicious advertisements to deliver commodity backdoors. The article advised IT administrators to download software only from verified domains and to avoid clicking search engine advertisements.