A recent malvertising campaign identified by cybersecurity researchers at Rapid 7 has shed light on the dangerous trend of fake websites mimicking popular and reputable brands to deceive users. These fraudulent websites, claiming to be genuine sites of well-known companies, can easily lure victims into downloading malware or entering sensitive information under false pretenses.
The campaign, uncovered by Rapid 7, involved malicious installers impersonating well-known utilities such as Google Chrome and Microsoft Teams. These installers, masquerading as legitimate software applications, actually deliver a backdoor named “Oyster” or “Broomstick.” Once installed, these malicious payloads initiate system enumeration and deploy other harmful activities on the compromised system.
In a specific instance highlighted by researchers, fake Microsoft Teams websites were used to distribute malware to unsuspecting users. The malicious actors behind these rogue sites capitalized on typosquatting to create domains that closely resembled authentic Microsoft websites. As a result, users looking to download Microsoft Teams inadvertently downloaded malware instead of the legitimate software application they were seeking.
One such example is the website “micrsoft-teams-download[.]com,” which distributed a binary file signed with a certificate issued for Shanxi Yanghua HOME Furnishings Ltd, a likely attempt to disguise the malicious activity as legitimate on VirusTotal. This incident underscores the sophistication and deceptive tactics employed by cybercriminals to trick users into downloading malware through fake websites.
The malvertising campaign that delivered the Oyster malware family via fake installers dates back to September 2023, according to the Rapid 7 report. The malware collects system data, establishes contact with command-and-control servers, and executes remote code on infected machines. Additionally, the malware creates a scheduled task that allows it to persist and run at regular intervals, ensuring continued malicious activity on the compromised system.
Furthermore, the malware uses a variety of functions to fingerprint infected machines and transmit relevant information back to the command-and-control infrastructure. Techniques such as reversing, byte mapping, and encoding are employed to obfuscate the malware’s communication with malicious domains, adding another layer of complexity to the threat landscape.
The malicious actors behind this campaign demonstrated a sophisticated understanding of cybersecurity vulnerabilities and exploited them to deliver malware through fake websites. By impersonating well-known brands and using deceptive tactics, these threat actors were able to successfully deceive users and compromise their systems with malicious payloads.
As cyber threats continue to evolve and become more sophisticated, it is essential for users to exercise caution when downloading software or entering sensitive information online. By staying vigilant and verifying the authenticity of websites and software applications, users can protect themselves from falling victim to malicious campaigns like the one uncovered by cybersecurity researchers at Rapid 7.