National Cyber Warfare Foundation (NCWF) Forums


Malvertising Campaign Leads to Execution of Oyster Backdoor


0 user ratings
2024-06-17 20:38:06
milo
Red Team (CNA)

 - archive -- 
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.

Malvertising Campaign Leads to Execution of Oyster Backdoor

The following analysts contributed to this blog: Thomas Elkins, Daniel Thiede, Josh Lockwood, Tyler McGraw, and Sasha Kovalev.

Executive Summary


Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams. The installers were being used to drop a backdoor identified as Oyster, aka Broomstick. Following execution of the backdoor, we have observed enumeration commands indicative of hands-on-keyboard activity as well as the deployment of additional payloads.


In this blog post, we will examine the delivery methods of the Oyster backdoor, provide an in-depth analysis of its components, and offer a Python script to help extract its obfuscated configuration.


Overview


Initial Access


In three separate incidents, Rapid7 observed users downloading supposed Microsoft Teams installers from typo-squatted websites. Users were directed to these websites after using search engines such as Google and Bing for Microsoft Teams software downloads. Rapid7 observed that the websites were masquerading as Microsoft Teams websites, enticing users into believing they were downloading legitimate software when, in reality, they were downloading the threat actor’s malicious software


Malvertising Campaign Leads to Execution of Oyster Backdoor

Figure 1 - Fake Microsoft Teams Website


In one case, a user was observed navigating to the URL hxxps://micrsoft-teams-download[.]com/, which lead to the download of the binary MSTeamsSetup_c_l_.exe. Initial analysis of the binary MSTeamsSetup_c_l_.exe showed that the binary was assigned by an Authenticode certificate issued to “Shanxi Yanghua HOME Furnishings Ltd”.


Malvertising Campaign Leads to Execution of Oyster Backdoor

Figure 2 - MSTeamsSetup_c_l_.exe File Information


Searching VirusTotal for other files signed by “Shanxi Yanghua HOME Furnishings Ltd” showed the following:


Malvertising Campaign Leads to Execution of Oyster Backdoor

Figure 3 - VirusTotal Signature Search Results


The results indicated other versions of the installer, each impersonating as a legitimate software installer. We observed that the first installer was submitted to VirusTotal around mid-May 2024.


In a related incident that occurred on May 29, 2024, we observed another binary posing as a Microsoft Teams setup file, TMSSetup.exe, which was assigned a valid certificate issued to “Shanghai Ruikang Decoration Co., Ltd”. As of May 30, 2024, that certificate has been revoked.


VirusTotal analysis of the binary MSTeamsSetup_c_l_.exe indicates it is associated with a malware family known as Oyster, dubbed Broomstick by IBM.


What is Oyster/Broomstick?


Oyster aka Broomstick aka CleanUpLoader is a family of malware first spotted in September of 2023 by researchers at IBM. While not much is known about the malware, it was delivered via a loader called Oyster Installer, which masqueraded as a browser installer. The installer was responsible for dropping the backdoor component, Oyster Main. Oyster Main was responsible for gathering information about the compromised host, handling communication with the hard-coded command-and-control (C2) addresses, and providing the capability for remote code execution.


In February, researchers on Twitter observed the same backdoor component and started to name the Oyster Main backdoor, CleanUpLoader.


In recent incidents, Rapid7 has observed Oyster Main being delivered without the Oyster Installer.


Technical Analysis


Initial analysis of the binary MSTeamsSetup_c_l_.exe revealed that two binaries were stored within the resource section. During execution, a function was observed using FindResourceA to locate the binaries, followed by LoadResource to access them. These binaries were then subsequently dropped into the Temp folder. We observed that the intended names of the two binaries dropped by MSTeamsSetup_c_l_.exe were CleanUp30.dll and MSTeamsSetup_c_l_.exe (the legitimate Microsoft Teams installer).


After dropping the binary CleanUp30.dll into the Temp directory, the program executes the DLL, passing the string rundll32.exe %s,Test to the function CreateProcessA, where %s stores the value CleanUp30.dll.


Malvertising Campaign Leads to Execution of Oyster Backdoor

Figure 4 - Execution of CleanUp30.dll


After the execution of CleanUp30.dll, the program proceeds to initiate the legitimate Microsoft Teams installer, MSTeamsSetup_c_l_.exe, also located within the Temp directory. This tactic is employed to avoid raising suspicion from the user.


CleanUp30.dll Analysis


During the execution of CleanUp30.dll, Rapid7 observed that the binary starts by attempting to create the hard coded mutual exclusion (mutex) ITrkfSaV-4c7KwdfnC-Ds165XU4C-lH6R9pk1. Mutex creation is often used by programs in order to determine if the program is already running another instance. If the program is already running, the program will terminate the new instance.


After creating the mutex, the binary determines its execution path by calling the function GetModuleFilenameA. The value is stored as a string and used as a parameter for the creation of a scheduled task, ClearMngs. The scheduled task is created using the function ShellExecuteExW, passing the following as the command line:


schtasks.exe /create /tn ClearMngs /tr "rundll32 '\CleanUp30.dll',Test" /sc hourly /mo 3 /f


The purpose of the scheduled task ClearMngs is to execute the binary \CleanUp30.dll with the exported function of Test using rundll32.exe every three hours.


After the creation of the scheduled task, the binary then proceeds to decode its C2 servers using a unique decoding function. The decoding function begins by taking in a string of encoded characters, and its length is in bytes. The decoding function then proceeds to read in each byte, starting from the end of the encoded string.


Malvertising Campaign Leads to Execution of Oyster Backdoor

Figure 5 - The DLL’s decoding loop.


Each byte of the encoded string is used as an index location to retrieve the decoded byte from a hard-coded byte map. A byte map is a byte array containing 256 bytes in a randomized order, one for each possible byte value from 1 to 256. Malware authors sometimes use this technique to obfuscate strings and other data. The iteration counter (i) used within the condition for the decoding loop is compared to half of the encoded string’s length as the decoding loop swaps two bytes at a time. The bytes of the encoded string are decoded and swapped beginning at the start and end bytes of the string and the decoding loop then progresses towards the center of the string from each end.


The loop swaps the bytes to reverse the decoded string, as the original plaintext strings stored in the malware were reversed prior to encoding. When the center of the string is reached, the decoding process is complete. Due to this algorithm, all the encoded strings that are passed must be of even length to avoid further processing. Immediately after the decoded string is loaded onto the stack, the malware then re-encodes the string using a similar loop. The final result for the first decoded string is a carriage return line feed (CRLF) delimited list of C2 domains.


We constructed a Python script that can decode all the encoded strings contained within the CleanUp.dll binaries, including previous versions. The Python script can be found in our GitHub repository.


Malvertising Campaign Leads to Execution of Oyster Backdoor

Figure 6 - Sample Output from Python Script


Using our Python script, it revealed some of the C2 functionality, along with several JSON fields that are used to build a fingerprint of the infected system:























































































































Hex Encoded StringDecoded String
2ec6a676766fc6f4960e86api/connect
50b0aea6747686b64eaef69e2ec6a64e96262ea64esupfoundrysettlers.us
50b0b6f6c674a646a6b6f6164ea66ea64ea616eewhereverhomebe.com
50b0ceae74ce4ea6362e2ea6ce9e4e2676aef6660eaeceretdirectyourman.eu
76f6ce56f476f6962e86c696360e0e86045ca60e9e2ab42e76a62e76f6c2Content-Type: application/json
76f696cece65cef4960e86api/session
a61ea67426b6c63a346ceaf2eace9eca3a\SysWOW64\cmd.exe
a61ea6744ccc36362676ae4e3a2c6ceaf2eace9eca3a\SysWOW64undll32.exe
d2f2OK
3a0eb6a62a3a\Temp\
445c442696fa267686b6b6f6c6443444","command_id":"
be44"}
445c44649644de{"id":"
445c442e36aecea64e443444","result":"
445c442696fa76f696cecea6ce443444","session_id":"
445c44ceae2e862ece443444","status":"
2e1e2e740eae7686a636c63a\cleanup.txt
445c44a6b68676fa4e652eae0eb6f6c6443444","computer_name":"
0ccc445c4476f696ce72a66efa363626443444","dll_version":"30
445c44769686b6f626443444","domain":"
be44"}
445c44649644de{"id":"
445c443686c6f636fa0e96443444","ip_local":"
445c44cef6443444","os":"
445c44263696ae46facef6443444","os_build":"
445c44a6e6a636656e964e0e443444","privilege":"

After the binary decodes the C2 addresses, the program proceeds to fingerprint the infected machine, using the following functions:































FunctionDescription
DsRoleGetPrimaryDomainInformationUsed to gather information about the domain the compromised machine resides in. In particular, the function returns the domain name.
GetUserNameWProvides the name of the user in which the program is running under.
NetUserGetInfoProvides details of the user under which the program is running. In this case, the program is querying if the user is admin or user.
GetComputerNameWProvides the name of the compromised machine in which the binary is running on.
RtlGetVersionReturns version information about the currently running operating system including name and version number.

Malvertising Campaign Leads to Execution of Oyster Backdoor

Figure 7 - A Selection of Contents of the CleanUp30.dll Code that Outline the Collection of System Information


While enumerating information about the host, the information is stored in the JSON fields uncovered from the encoded strings identified above.


Malvertising Campaign Leads to Execution of Oyster Backdoor

Figure 8 - Example of the Data Collected and Sent via HTTP POST to the Malicious Domains


The fingerprint information is encoded using the same loop previously discussed, where the data string is reversed and encoded using a byte map before being sent.


After the information is encoded, it is sent to the domains whereverhomebe[.]com/, supfoundrysettlers[.]us/, and retdirectyourman[.]eu/ via HTTP POST method. Rapid7 determined that CleanUp30.dll uses the open-source C++ library Boost.Beast to communicate with the observed C2 domains via HTTP and web sockets.


Malvertising Campaign Leads to Execution of Oyster Backdoor

Figure 9 - Captured Network Traffic Attempting to Send POST Requests to whereverhomebe[.]com/ and supfoundrysettlers[.]us/ Following the Execution of CleanUp30.dll


Follow-on Activity


In one of the incidents Rapid7 observed, a PowerShell script was spawned following the execution of another version of CleanUp30.dll, CleanUp.dll. CleanUp.dll, similar to CleanUp30.dll, was originally dropped by the other fake Microsoft Teams installer, TMSSetup.exe, which dropped the binary into the AppData/Local/Temp directory as well.


Malvertising Campaign Leads to Execution of Oyster Backdoor

Figure 10 - PowerShell Command Creating .lnk File DiskCleanUp.lnk


The purpose of the PowerShell script was to create a shortcut LNK file named DiskCleanUp.lnk within C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\. By doing so, this ensured that the LNK file DiskCleanUp.lnk would be run each time the user logged in. The shortcut LNK file was responsible for executing the binary CleanUp.dll using rundll32.exe, passing the export Test.

Following the execution of the PowerShell script, Rapid7 observed execution of additional payloads:



  • k1.ps1

  • main.dll

  • getresult.exe


Unfortunately, during the incident, we were unable to acquire the additional payloads. During the incidents, Rapid7 also observed execution of the following enumeration commands:















































EnumerationDescription
systeminfoProvides information about the system's software and hardware configuration
arp -aShows a list of all IP addresses that the local computer has recently interacted with, along with their corresponding MAC addresses
net group 'domain computers' /domainLists the "Domain Computers" group within an Active Directory domain
"C:\Windows\system32
slookup.exe" myip.opendns.com resolver1.opendns.com
Determines the external IP address
whoami /allProvides detailed information about the current user including user's privileges, group memberships, and security identifiers (SIDs)
nltest /dclist:Lists all the domain controllers (DCs) for a specific domain
net user adminProvides detailed information about the user 'admin' including profile information, group memberships, local group memberships, etc
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /sQueries the registry to find information about installed software
findstr "DisplayName"Used to filter information, showing only items contained under "DisplayName"

Rapid7 Customers


InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this malware campaign:



  • Persistence - SchTasks Creating A Task Pointed At Users Temp Or Roaming Directory

  • Suspicious Process: RunDLL32 launching CMD or PowerShell

  • Persistence - Schtasks.exe Creating Task That Executes RunDLL32

  • Network Discovery - Nltest Enumerate Domain Controllers

  • Attacker Technique - Determining External IP Via Command Line

  • Suspicious Process - .lnk in PowerShell Command Line


MITRE ATT&CK Techniques




















































TacticTechniqueDescription
Resource DevelopmentAcquire Infrastructure: Domains (T1583.001)Threat Actor set up typo-squatted domain micrsoft-teams-download[.]com in order to aid in the delivery of the executable MSTeamsSetup_c_l_.exe
ExecutionCommand and Scripting Interpreter: Powershell (T1059.001)Used to create .lnk file DiskCleanUp.lnk and execute the PowerShell payload k1.ps1
ExecutionUser Execution: Malicious File (T1204.002)User executes the binary MSTeamsSetup_c_l_.exe
PersistenceScheduled Task (T1053.005)CleanUp30.DLL and CleanUp.DLL create scheduled task ClearMngs
Defense EvasionMasquerading: Match Legitimate Name or Location (T1036.005)MSTeamsSetup_c_l_.exe masquerades as legitimate Microsoft Teams installer
Defense EvasionVirtualization/Sandbox Evasion: Time Based Evasion (T1497.003)Execution delays are performed by several stages throughout the attack flow
CollectionData from Local System (T1005)Threat Actors enumerated information about compromised hosts using the backdoor CleanUp DLL's
Command and ControlData Encoding - Non Standard Encoding (T1132.002)CleanUp DLL's send encoded data to C2's using unique encoding function

IOCs


















































































IOCHashDescription
TMSSetup.exe9601f3921c2cd270b6da0ba265c06bae94fd7d4dc512e8cb82718eaa24accc43The malicious executable downloaded from prodfindfeatures[.]com/
MSTeamsSetup_c_l_.exe574C70E84ECDAD901385A1EBF38F2EE74C446034E97C33949B52F3A2FDDCD822The malicious executable downloaded from prodfindfeatures[.]com/
CleanUp30.dllCFC2FE7236DA1609B0DB1B2981CA318BFD5FBBB65C945B5F26DF26D9F948CBB4The .dll file that is run by run32dll.exe following the execution of MSTeamsSetup_c_l_.exe
CleanUp.dll82B246D8E6FFBA1ABAFFBD386470C45CEF8383AD19394C7C0622C9E62128CB94The .dll file that is run by run32dll.exe following the execution of TMSSetup.exe
DiskCleanUp.lnkb53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393faAn .lnk file that was created following the execution of CleanUp30.dll
prodfindfeatures[.]com/-The domain hosting the malicious files TMSSetup (1).exe and MSTeamsSetup_c_l_.exe
micrsoft-teams-download[.]com/-The typo-squatted domain that users visited
impresoralaser[.]pro/-Part of the domain redirect chain for downloads of TMSSetup (1).exe and MSTeamsSetup_c_l_.exe
whereverhomebe[.]com/-Domain that CleanUp30.dll and CleanUp.dll attempts to communicate with
supfoundrysettlers[.]us/-Domain that CleanUp30.dll and CleanUp.dll attempts to communicate with
retdirectyourman[.]eu/-Domain that CleanUp30.dll and CleanUp.dll attempts to communicate with
149.248.79[.]62-Resolving IP for whereverhomebe[.]com/
64.95.10[.]243-Resolving IP for supfoundrysettlers[.]us/
206.166.251[.]114-Resolving IP for retdirectyourman[.]eu/

References



















ArticleURL
Broomstick Malware Profilehttps://exchange.xforce.ibmcloud.com/malware-analysis/guid:08822f57c12416bc3e74997c473d1889
Twitter Mention of CleanUpLoaderhttps://x.com/RussianPanda9xx/status/1757932257765945478



Source: Rapid7
Source Link: https://blog.rapid7.com/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.