In July, the Rhysida ransomware group was observed using the Oyster backdoor malware as part of its attacks. This tactic is part of a broader malvertising campaign first reported in June by security researchers. In this new campaign, fake websites disguised as sites like Microsoft Teams are used to trick users into downloading what they believe are legitimate versions of the software, but instead are malicious installers that drop the Oyster backdoor on the victim’s system.
What’s Notable and Unique
- Oyster malware – also known as Broomstick – uses a loader that looks like a legitimate software installer. When a user downloads the loader, the installer deploys the Oyster backdoor, which allows the threat actor to gather information about the victim’s system and steal credentials.
- Although researchers observed Rhysida using the Oyster backdoor in an attack in July, Arete has observed the ransomware group using this technique since at least May 2024.
- Rhysida is a ransomware-as-a-service (RaaS) that has been active since May 2023, but Arete has observed that the group has been considerably more active in 2024, with a notable spike in activity between June and August. Most recently, the group was responsible for the attack against the Port of Seattle in August, which disrupted systems at Seattle-Tacoma International Airport and resulted in several flight delays.
Analyst Comments
This recent malvertising campaign is a prime example of threat groups actively using search engine optimization (SEO) poisoning to lure victims to legitimate-looking websites and trick them into downloading malware. Although this technique is known to be exploited by a variety of actors, Rhysida has found recent success in using it to gain access to multiple victim systems and will likely continue to do so for as long as it remains effective. Even when using common search engines like Google, it is important that users pay attention to any links that have typos or seem suspicious. Employing active endpoint detection and response solutions is also critical in disrupting threat actor activity and mitigating the risk of a cyber-attack.
Sources
Arete Internal Data
Rhysida using Oyster Backdoor to deliver ransomware
Malvertising Campaign Leads to Execution of Oyster Backdoor
Port of Seattle hit by Rhysida ransomware in August attack