Within the past few days, hackers have been discovered utilizing fake Microsoft Teams installers to infect Windows devices with Oyster malware.

The hackers are using a process called “SEO poisoning,” which is a process of artificially boosting a webpage in search engine rankings as to deceive users into believing it to be legitimate and downloading the infected software, to push the Oyster malware to Windows users.

Oyster malware—also known as Broomstick or CleanUpLoader—enables hackers to execute remote commands, deploy additional payloads, and transfer data to and from the compromised systems. Oyster has already been linked to other intrusion campaigns where it was masked as legitimate IT tools like PuTTY or WinSCP.

One of the domains that was noted by Blackpoint SOC was teams-install[.]top, which went as far to mask its malicious intentions to look like a legitimate copy of Microsoft’s official site. Clicking through the download would download a file named “MSTeamsSetup.exe,” which is the same names as the officalTeams download.

Upon executing the .exe, the installer dropped a malicious DLL (CaptureService.dll) into the %APPDATA%\Roaming folder. For persistence, it also created a scheduled task called “CaptureService” that runs every 11 minutes, even after a system reboot or restart.

If you or someone on your staff recently downloaded or attempted to download Microsoft Teams within the last few weeks, its best to ensure that this Oyster malware was not installed accidentally.

Mitigation & Prevention Tips

Hackers will only continue to attempt more and more sophisticated with their attempts to infiltrate your systems and steal your data. To help mitigate and prevent risk for your business, here are some tips that can come in handy:

• Download only from verified domains. Sometimes, it’s easy to become trusting with search engines like Google or Bing. Avoiding third-party sites or links arising from search ads means that you need to double and triple check that you’re on the correct site.
• Disable or restrict software installation privileges. Limiting who can install executables and having secure administrator credentials mitigates risk a ton. Double down on the mitigation by ensuring these credentials are secured and not shared around the office… especially on a sticky note in someone’s drawer!
• Use endpoint protection and monitoring. Make sure every device in your business has an active anti-virus enabled. Additionally, look for unusual persistence mechanisms, like custom scheduled tasks created by downloaded files.
• Educate staff on safe IT practices. Providing employees and staff with training regarding safe IT practices can save you headache and money. Awareness of SEO poisoning and fake installers like this malicious Microsoft clone are key to keeping your business secure.
• Monitor certificate use. In the event malware is installed and data or logins are taken, monitoring certificate use can alert you to the problem. Multi-factor authentication across key accounts that handle financials or sensitive data will add one more layer of protection to your systems.