New Microsoft Teams Phishing Campaign Delivers “Oyster” Backdoor – Protect Your network Now
A elegant phishing campaign is currently exploiting users searching for Microsoft Teams, delivering a malicious installer disguised as the legitimate software. This campaign leverages SEO poisoning and malvertising to trick you into downloading a dangerous file, perhaps compromising your entire network. Understanding the details of this threat and taking proactive steps is crucial for protecting your institution.
How the Attack Works
The attackers are creating fake websites that appear in search results when users search for “Microsoft Teams download.” These sites closely mimic the official Microsoft website, making them tough to distinguish. When you visit these fraudulent sites and download the file – named “MSTeamsSetup.exe” – you’re actually downloading malware.
This is particularly concerning because the malicious file was digitally signed with valid certificates from “4th State Oy” and “NRM NETWORK RISK MANAGEMENT INC,” lending a false sense of security. This technique bypasses some security measures and increases the likelihood of accomplished infection.
What Happens After Infection?
Once executed, the fake installer drops a malicious Dynamic Link Library (DLL) called “captureservice.dll” into your system’s roaming application data folder. This DLL is the core of the “Oyster” backdoor.
To ensure persistence – meaning the malware remains active even after a reboot – the installer creates a scheduled task named “CaptureService.” This task runs the malicious DLL every 11 minutes, maintaining a constant foothold on your system.
Why This matters: A Growing Trend
This attack isn’t isolated. It closely mirrors previous campaigns targeting users with fake Google Chrome and Microsoft Teams installers, all delivering the same “Oyster” backdoor. This demonstrates a clear trend: threat actors are increasingly relying on SEO poisoning and malicious advertising to gain initial access to corporate networks.
They are exploiting your trust in search results and well-known brands. This is a particularly effective tactic because it bypasses traditional security defenses that focus on direct malware downloads.
What You Need to Do: Protecting Your Organization
as IT administrators and security professionals, you are prime targets for these attacks. Gaining access to your credentials provides attackers with a pathway to high-privilege accounts and sensitive data.Here’s how to protect yourself and your organization:
* Download Software Only from Verified Domains: Always obtain software directly from the official Microsoft website or trusted software vendors.Double-check the URL before downloading anything.
* Avoid Clicking on Search Engine Advertisements: malvertising is a common tactic. Be wary of sponsored links in search results, even if they appear legitimate.
* Implement Robust Security Awareness training: Educate your users about the dangers of phishing and the importance of verifying download sources.
* Employ Multi-Factor Authentication (MFA): MFA adds an extra layer of security, making it more difficult for attackers to gain access even if they compromise your credentials.
* Keep Your Security Software Up-to-Date: ensure your antivirus and endpoint detection and response (EDR) solutions are running the latest definitions and are actively monitoring your systems.
* Regularly Scan for Threats: Conduct routine scans of your network and endpoints to identify and remove any potential malware.
Technical Details for Further Investigation
For those needing more technical details,here are the VirusTotal links for the identified malicious files:
* MSTeamsSetup.exe: https://www.virustotal.com/gui/file/9dc86863e3188912c3816e8ba21eda939107b8823f1afc190c466a7d5ca708d1
* CaptureService.dll: [https://www[https://www[https://www[https://www