The following analysts contributed to this blog: Thomas Elkins, Daniel Thiede, Josh Lockwood, Tyler McGraw, and Sasha Kovalev.
Executive Summary
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams. The installers were being used to drop a backdoor identified as Oyster, aka Broomstick. Following execution of the backdoor, we have observed enumeration commands indicative of hands-on-keyboard activity as well as the deployment of additional payloads.
In this blog post, we will examine the delivery methods of the Oyster backdoor, provide an in-depth analysis of its components, and offer a Python script to help extract its obfuscated configuration.
Overview
Initial Access
In three separate incidents, Rapid7 observed users downloading supposed Microsoft Teams installers from typo-squatted websites. Users were directed to these websites after using search engines such as Google and Bing for Microsoft Teams software downloads. Rapid7 observed that the websites were masquerading as Microsoft Teams websites, enticing users into believing they were downloading legitimate software when, in reality, they were downloading the threat actor’s malicious software.
Figure 1 - Fake Microsoft Teams Website
In one case, a user was observed navigating to the URL hxxps://micrsoft-teams-download[.]com/, which led to the download of the binary MSTeamsSetup_c_l_.exe. Initial analysis of the binary MSTeamsSetup_c_l_.exe showed that the binary was assigned by an Authenticode certificate issued to “Shanxi Yanghua HOME Furnishings Ltd”.
Figure 2 - MSTeamsSetup_c_l_.exe File Information
Searching VirusTotal for other files signed by “Shanxi Yanghua HOME Furnishings Ltd” showed the following:
Figure 3 - VirusTotal Signature Search Results
The results indicated other versions of the installer, each impersonating as a legitimate software installer. We observed that the first installer was submitted to VirusTotal around mid-May 2024.
In a related incident that occurred on May 29, 2024, we observed another binary posing as a Microsoft Teams setup file, TMSSetup.exe, which was assigned a valid certificate issued to “Shanghai Ruikang Decoration Co., Ltd”. As of May 30, 2024, that certificate has been revoked.
VirusTotal analysis of the binary MSTeamsSetup_c_l_.exe indicates it is associated with a malware family known as Oyster, dubbed Broomstick by IBM.
What is Oyster/Broomstick?
Oyster aka Broomstick aka CleanUpLoader is a family of malware first spotted in September of 2023 by researchers at IBM. While not much is known about the malware, it was delivered via a loader called Oyster Installer, which masqueraded as a browser installer. The installer was responsible for dropping the backdoor component, Oyster Main. Oyster Main was responsible for gathering information about the compromised host, handling communication with the hard-coded command-and-control (C2) addresses, and providing the capability for remote code execution.
In February, researchers on Twitter observed the same backdoor component and started to name the Oyster Main backdoor, CleanUpLoader.
In recent incidents, Rapid7 has observed Oyster Main being delivered without the Oyster Installer.
Technical Analysis
Initial analysis of the binary MSTeamsSetup_c_l_.exe revealed that two binaries were stored within the resource section. During execution, a function was observed using FindResourceA to locate the binaries, followed by LoadResource to access them. These binaries were then subsequently dropped into the Temp folder. We observed that the intended names of the two binaries dropped by MSTeamsSetup_c_l_.exe were CleanUp30.dll and MSTeamsSetup_c_l_.exe (the legitimate Microsoft Teams installer).
After dropping the binary CleanUp30.dll into the Temp directory, the program executes the DLL, passing the string rundll32.exe %s,Test to the function CreateProcessA, where %s stores the value CleanUp30.dll.
Figure 4 - Execution of CleanUp30.dll
After the execution of CleanUp30.dll, the program proceeds to initiate the legitimate Microsoft Teams installer, MSTeamsSetup_c_l_.exe, also located within the Temp directory. This tactic is employed to avoid raising suspicion from the user.
CleanUp30.dll Analysis
During the execution of CleanUp30.dll, Rapid7 observed that the binary starts by attempting to create the hard coded mutual exclusion (mutex) ITrkfSaV-4c7KwdfnC-Ds165XU4C-lH6R9pk1. Mutex creation is often used by programs in order to determine if the program is already running another instance. If the program is already running, the program will terminate the new instance.
After creating the mutex, the binary determines its execution path by calling the function GetModuleFilenameA. The value is stored as a string and used as a parameter for the creation of a scheduled task, ClearMngs. The scheduled task is created using the function ShellExecuteExW, passing the following as the command line:
schtasks.exe /create /tn ClearMngs /tr "rundll32 '<location of binary>\CleanUp30.dll',Test" /sc hourly /mo 3 /f
The purpose of the scheduled task ClearMngs is to execute the binary <location of binary>\CleanUp30.dll with the exported function of Test using rundll32.exe every three hours.
After the creation of the scheduled task, the binary then proceeds to decode its C2 servers using a unique decoding function. The decoding function begins by taking in a string of encoded characters, and its length is in bytes. The decoding function then proceeds to read in each byte, starting from the end of the encoded string.
Figure 5 - The DLL’s Decoding Loop
Each byte of the encoded string is used as an index location to retrieve the decoded byte from a hard-coded byte map. A byte map is a byte array containing 256 bytes in a randomized order, one for each possible byte value from 1 to 256. Malware authors sometimes use this technique to obfuscate strings and other data. The iteration counter (i) used within the condition for the decoding loop is compared to half of the encoded string’s length as the decoding loop swaps two bytes at a time. The bytes of the encoded string are decoded and swapped beginning at the start and end bytes of the string and the decoding loop then progresses towards the center of the string from each end.
The loop swaps the bytes to reverse the decoded string, as the original plaintext strings stored in the malware were reversed prior to encoding. When the center of the string is reached, the decoding process is complete. Due to this algorithm, all the encoded strings that are passed must be of even length to avoid further processing. Immediately after the decoded string is loaded onto the stack, the malware then re-encodes the string using a similar loop. The final result for the first decoded string is a carriage return line feed (CRLF) delimited list of C2 domains.
We constructed a Python script that can decode all the encoded strings contained within the CleanUp.dll binaries, including previous versions. The Python script can be found in our GitHub repository.
Figure 6 - Sample Output from Python Script
Using our Python script, it revealed some of the C2 functionality, along with several JSON fields that are used to build a fingerprint of the infected system:
| Hex Encoded String |
Decoded String |
| 2ec6a676766fc6f4960e86 |
api/connect |
| 50b0aea6747686b64eaef69e2ec6a64e96262ea64e |
supfoundrysettlers.us |
| 50b0b6f6c674a646a6b6f6164ea66ea64ea616ee |
whereverhomebe.com |
| 50b0ceae74ce4ea6362e2ea6ce9e4e2676aef6660eaece |
retdirectyourman.eu |
| 76f6ce56f476f6962e86c696360e0e86045ca60e9e2ab42e76a62e76f6c2 |
Content-Type: application/json |
| 76f696cece65cef4960e86 |
api/session |
| a61ea67426b6c63a346ceaf2eace9eca3a |
\SysWOW64\cmd.exe |
| a61ea6744ccc36362676ae4e3a2c6ceaf2eace9eca3a |
\SysWOW64\rundll32.exe |
| d2f2 |
OK |
| 3a0eb6a62a3a |
\Temp\ |
| 445c442696fa267686b6b6f6c6443444 |
","command_id":" |
| be44 |
"} |
| 445c44649644de |
{"id":" |
| 445c442e36aecea64e443444 |
","result":" |
| 445c442696fa76f696cecea6ce443444 |
","session_id":" |
| 445c44ceae2e862ece443444 |
","status":" |
| 2e1e2e740eae7686a636c63a |
\cleanup.txt |
| 445c44a6b68676fa4e652eae0eb6f6c6443444 |
","computer_name":" |
| 0ccc445c4476f696ce72a66efa363626443444 |
","dll_version":"30 |
| 445c44769686b6f626443444 |
","domain":" |
| be44 |
"} |
| 445c44649644de |
{"id":" |
| 445c443686c6f636fa0e96443444 |
","ip_local":" |
| 445c44cef6443444 |
","os":" |
| 445c44263696ae46facef6443444 |
","os_build":" |
| 445c44a6e6a636656e964e0e443444 |
","privilege":" |
|
|
After the binary decodes the C2 addresses, the program proceeds to fingerprint the infected machine, using the following functions:
| Function |
Description |
| DsRoleGetPrimaryDomainInformation |
Used to gather information about the domain the compromised machine resides in. In particular, the function returns the domain name. |
| GetUserNameW |
Provides the name of the user in which the program is running under. |
| NetUserGetInfo |
Provides details of the user under which the program is running. In this case, the program is querying if the user is admin or user. |
| GetComputerNameW |
Provides the name of the compromised machine in which the binary is running on. |
| RtlGetVersion |
Returns version information about the currently running operating system including name and version number. |
Figure 7 - A Selection of Contents of the CleanUp30.dll Code that Outline the Collection of System Information
While enumerating information about the host, the information is stored in the JSON fields uncovered from the encoded strings identified above.
Figure 8 - Example of the Data Collected and Sent via HTTP POST to the Malicious Domains
The fingerprint information is encoded using the same loop previously discussed, where the data string is reversed and encoded using a byte map before being sent.
After the information is encoded, it is sent to the domains whereverhomebe[.]com/, supfoundrysettlers[.]us/, and retdirectyourman[.]eu/ via HTTP POST method. Rapid7 determined that CleanUp30.dll uses the open-source C++ library Boost.Beast to communicate with the observed C2 domains via HTTP and web sockets.
Figure 9 - Captured Network Traffic Attempting to Send POST Requests to whereverhomebe[.]com/ and supfoundrysettlers[.]us/ Following the Execution of CleanUp30.dll
Follow-on Activity
In one of the incidents Rapid7 observed, a PowerShell script was spawned following the execution of another version of CleanUp30.dll, CleanUp.dll. CleanUp.dll, similar to CleanUp30.dll, was originally dropped by the other fake Microsoft Teams installer, TMSSetup.exe, which dropped the binary into the AppData/Local/Temp directory as well.
Figure 10 - PowerShell Command Creating .lnk File DiskCleanUp.lnk
The purpose of the PowerShell script was to create a shortcut LNK file named DiskCleanUp.lnk within C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\. By doing so, this ensured that the LNK file DiskCleanUp.lnk would be run each time the user logged in. The shortcut LNK file was responsible for executing the binary CleanUp.dll using rundll32.exe, passing the export Test.
Following the execution of the PowerShell script, Rapid7 observed execution of additional payloads:
- k1.ps1
- main.dll
- getresult.exe
Unfortunately, during the incident, we were unable to acquire the additional payloads. During the incidents, Rapid7 also observed execution of the following enumeration commands:
| Enumeration |
Description |
| systeminfo |
Provides information about the system's software and hardware configuration |
| arp -a |
Shows a list of all IP addresses that the local computer has recently interacted with, along with their corresponding MAC addresses |
| net group 'domain computers' /domain |
Lists the "Domain Computers" group within an Active Directory domain |
| "C:\Windows\system32\nslookup.exe" myip.opendns.com resolver1.opendns.com |
Determines the external IP address |
| whoami /all |
Provides detailed information about the current user including user's privileges, group memberships, and security identifiers (SIDs) |
| nltest /dclist:<domain_name> |
Lists all the domain controllers (DCs) for a specific domain |
| net user admin |
Provides detailed information about the user 'admin' including profile information, group memberships, local group memberships, etc |
| reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /s |
Queries the registry to find information about installed software |
| findstr "DisplayName" |
Used to filter information, showing only items contained under "DisplayName" |
Rapid7 Customers
InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this malware campaign:
- Persistence - SchTasks Creating A Task Pointed At Users Temp Or Roaming Directory
- Suspicious Process: RunDLL32 launching CMD or PowerShell
- Persistence - Schtasks.exe Creating Task That Executes RunDLL32
- Network Discovery - Nltest Enumerate Domain Controllers
- Attacker Technique - Determining External IP Via Command Line
- Suspicious Process - .lnk in PowerShell Command Line
MITRE ATT&CK Techniques
| Tactic |
Technique |
Description |
| Resource Development |
Acquire Infrastructure: Domains (T1583.001) |
Threat Actor set up typo-squatted domain micrsoft-teams-download[.]com in order to aid in the delivery of the executable MSTeamsSetup_c_l_.exe |
| Execution |
Command and Scripting Interpreter: Powershell (T1059.001) |
Used to create .lnk file DiskCleanUp.lnk and execute the PowerShell payload k1.ps1 |
| Execution |
User Execution: Malicious File (T1204.002) |
User executes the binary MSTeamsSetup_c_l_.exe |
| Persistence |
Scheduled Task (T1053.005) |
CleanUp30.DLL and CleanUp.DLL create scheduled task ClearMngs |
| Defense Evasion |
Masquerading: Match Legitimate Name or Location (T1036.005) |
MSTeamsSetup_c_l_.exe masquerades as legitimate Microsoft Teams installer |
| Defense Evasion |
Virtualization/Sandbox Evasion: Time Based Evasion (T1497.003) |
Execution delays are performed by several stages throughout the attack flow |
| Collection |
Data from Local System (T1005) |
Threat Actors enumerated information about compromised hosts using the backdoor CleanUp DLL's |
| Command and Control |
Data Encoding - Non Standard Encoding (T1132.002) |
CleanUp DLL's send encoded data to C2's using unique encoding function |
IOCs
| IOC |
Hash |
Description |
| TMSSetup.exe |
9601f3921c2cd270b6da0ba265c06bae94fd7d4dc512e8cb82718eaa24accc43 |
The malicious executable downloaded from prodfindfeatures[.]com/ |
| MSTeamsSetup_c_l_.exe |
574C70E84ECDAD901385A1EBF38F2EE74C446034E97C33949B52F3A2FDDCD822 |
The malicious executable downloaded from prodfindfeatures[.]com/ |
| CleanUp30.dll |
CFC2FE7236DA1609B0DB1B2981CA318BFD5FBBB65C945B5F26DF26D9F948CBB4 |
The .dll file that is run by run32dll.exe following the execution of MSTeamsSetup_c_l_.exe |
| CleanUp.dll |
82B246D8E6FFBA1ABAFFBD386470C45CEF8383AD19394C7C0622C9E62128CB94 |
The .dll file that is run by run32dll.exe following the execution of TMSSetup.exe |
| DiskCleanUp.lnk |
b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa |
An .lnk file that was created following the execution of CleanUp30.dll |
| prodfindfeatures[.]com/ |
- |
The domain hosting the malicious files TMSSetup (1).exe and MSTeamsSetup_c_l_.exe |
| micrsoft-teams-download[.]com/ |
- |
The typo-squatted domain that users visited |
| impresoralaser[.]pro/ |
- |
Part of the domain redirect chain for downloads of TMSSetup (1).exe and MSTeamsSetup_c_l_.exe |
| whereverhomebe[.]com/ |
- |
Domain that CleanUp30.dll and CleanUp.dll attempts to communicate with |
| supfoundrysettlers[.]us/ |
- |
Domain that CleanUp30.dll and CleanUp.dll attempts to communicate with |
| retdirectyourman[.]eu/ |
- |
Domain that CleanUp30.dll and CleanUp.dll attempts to communicate with |
| 149.248.79[.]62 |
- |
Resolving IP for whereverhomebe[.]com/ |
| 64.95.10[.]243 |
- |
Resolving IP for supfoundrysettlers[.]us/ |
| 206.166.251[.]114 |
- |
Resolving IP for retdirectyourman[.]eu/ |
References
