In three incidents, attackers used typo-squatted websites imitating legitimate Microsoft Teams download pages to trick users into downloading malware, where these websites used filenames like “MSTeamsSetup_c_l_.exe” and “TMSSetup.exe” to further deceive users.
Authenticode certificates, typically used for signing legitimate software, were fraudulently issued to disguise the malware. Analysis revealed the malware belongs to the Oyster family, also known as Broomstick, indicating a campaign targeting users searching for Microsoft Teams downloads.
Oyster, also known as Broomstick and CleanUpLoader, is a backdoor malware family first detected in September 2023 that leverages a disguised browser installer, Oyster Installer, to deploy the core component, Oyster Main.
Oyster Main gathers information on the infected system, communicates with pre-defined command-and-control servers, and allows for remote code execution, while recent observations suggest a shift where Oyster Main is being distributed independently of the Oyster Installer.
Malicious MSTeamsSetup_c_l_.exe disguises itself as a legitimate Microsoft Teams installer, which embeds two hidden binaries: CleanUp30.dll and another copy of itself.
Upon execution, MSTeamsSetup_c_l_.exe extracts these hidden files to the Temp folder and leverages the Windows API functions FindResourceA and LoadResource to locate them.
It then executes CleanUp30.dll using rundll32.exe, potentially for malicious purposes, as it launches the legitimate Microsoft Teams installer, likely to maintain user trust, aiming to bypass suspicion during infection.
CleanUp30.dll creates a mutex to check for running instances and then schedules a task named ClearMngs to run itself every 3 hours using rundll32. The task calls CleanUp30.dll’s Test function.
To communicate with its command and control servers, the DLL employs a custom decoding function that iterates through a byte-encoded string in reverse order and utilizes a hardcoded byte map to replace each byte with its corresponding decoded value, obfuscating the C2 server addresses stored within the binary.
Researchers at Rapid7 analyzed a malware program (CleanUp.dll) that uses a custom decoding algorithm to hide its Command and Control (C2) server addresses. The malware iterates through encoded strings, reverses the byte order during decoding, and stops when reaching the string’s center (ensuring even-length strings).
After decoding, it re-encodes the string with the same method. A Python script was created to decode these hidden C2 addresses and fingerprint information, which includes domain name, username, user privilege level (admin/user), computer name, and OS version.
A malicious DLL, CleanUp30.dll, uses the Boost.Beast library to communicate with C2 servers via HTTP POST after collecting host information encoded with a byte map, where the information is sent to domains like whereverhomebe.com.
Another variant, CleanUp.dll, creates a shortcut LNK file named DiskCleanUp.lnk in the Startup folder to ensure persistence upon reboot, which executes CleanUp.dll using rundll32.exe, passing the export test.
There are also payloads that have been observed to be executed, such as k1.ps1, main.dll, and getresult.exe.
Also Read:
