Hackers Distribute Malicious Microsoft Teams to Gain Remote Access

Security researchers at Blackpoint have recently warned about a new malware distribution campaign, where hackers use sponsored Google ads or SEO - Search Engine Optimization tricks to lure users into downloading a fake installation version of Microsoft Teams.

Detailed Information

The goal of this fake Microsoft Teams distribution campaign is to spread the Oyster backdoor (also known as Broomstick). By modifying the original installer from the publisher, hackers have successfully trojanized Microsoft Teams, turning it into a tool to widely distribute the backdoor, with the number of infected victims increasing exponentially.

The tactic used by hackers to spread the malware is very simple. By exploiting sponsored Google ads or SEO - Search Engine Optimization tricks, whenever a user searches for terms related to downloading Microsoft Teams software like "teams download," "download teams," etc., a fake download page appears at the top of the search results. This lures users to access and download from it. According to the report, one of the fake websites recorded is teams-install[.]top.

When users execute the MSTeamsSetup.exe file downloaded from the fake website, the Oyster backdoor is immediately deployed on the victim's system. The Oyster backdoor is a multistage malware with a modular structure designed to maintain long-term remote access to the compromised system. The deployment process of this malware can be divided into the following main parts:

1. The malware drops a DLL file named CaptureService.dll into a random folder within the %APPDATA%\Roaming path. The %APPDATA% folder is hidden on Windows, so any folders within it are hidden from the user's view, making it harder to detect unusual activity for those without in-depth knowledge of computers and operating systems.

2. It creates a Scheduled Task named CaptureService to automatically trigger the DLL, ensuring long-term presence on the infected system. Additionally, this automated task is configured to frequently use the rundll32.exe process, so the malicious DLL is continuously called, allowing hackers to access the victim's system at will as the connection to the Oyster backdoor remains open.

3. It connects to the hacker's C2 server. Through the backdoor, hackers can easily collect sensitive data such as information about the victim's system, documents stored on the system, or even deploy additional malware on the system, causing severe security damage.

Remediation & Recommendations

Security researchers recommend that users should:

• Download legitimate software: Only download and install software from the publisher's official website. Use bookmarks to directly access legitimate websites instead of indirect access through search results or ads.

• Use security software: Utilize reputable security software to immediately alert and block unsigned installers or those with untrustworthy digital signatures.

• Increase awareness: Enhance personal awareness of cyber threats, understand the risks of SEO poisoning and malvertising to minimize the chance of falling victim to dangerous malware campaigns.

• Use security services: Employ 24/7 security monitoring services to easily detect early signs such as unusual Scheduled Tasks, strange folders created in the %APPDATA% directory, or suspicious connections to hacker C2 servers through network traffic monitoring.

IOCs

Reference

1. https://blackpointcyber.com/blog/malicious-teams-installers-drop-oyster-malware/