[ad_1]
Oyster Backdoor malware has been observed disguising itself as legitimate IT management tools WinSCP and PuTTY in a campaign targeting IT professionals, with evidence suggesting a link to ransomware operations.
Researchers from BlueVoyant have conducted an investigation into a recent attack within a healthcare sector client environment, where the Oyster Backdoor was delivered through a fake installer for WinSCP. The analysis determined that malware operators also distributed a version disguised as PuTTY, another widely used administrative tool. The campaign was initially identified by outside cybersecurity specialists but BlueVoyant’s Security Operations Centre (SOC) responded after observing suspicious activities in its client’s network.
Malware delivery
The sequence of the attack began when an IT user downloaded a malicious installer appearing to be WinSCP. This triggered the deployment of the Oyster Backdoor, which allowed the attackers to exploit elevated privileges, move laterally within the network, and maintain persistence for potential follow-on attacks.
BlueVoyant reported that “within hours, the attackers created new admin accounts and attempted to deploy Havoc Command and Control (C2) on a domain controller.” The attack was interrupted by prompt action from BlueVoyant’s SOC, who were able to disrupt the attack chain before further damage occurred.
Technical evolution
During their assessment, BlueVoyant analysts observed updated features in this variant of the Oyster Backdoor compared to previous versions, reflecting continued development by its operators. Despite changes, the malware retains key capabilities, allowing it to harvest detailed system and user information, establish command and control communication with remote servers, and deploy additional malicious payloads to deepen compromise.
Connection to ransomware
BlueVoyant’s Threat Fusion Cell (TFC) uncovered infrastructure links tying this malware campaign to TAG-124, an activity cluster previously noted in external research. The company stated that “the adversary behind Oyster is believed to be an initial access operator for Rhysida ransomware.” The relationship between Oyster and Rhysida is notable, as BlueVoyant observed that Rhysida’s ransomware leak website has listed at least 10 victims since the beginning of June. BlueVoyant warned that “the adversaries appear to remain prevalent and active.”
The BlueVoyant team observed Oyster Backdoor being utilised to deploy additional payloads within a client environment operating in the healthcare sector. Payloads are code in malware designed to perform unauthorised actions. After conducting a thorough investigation, BlueVoyant determined that an IT user downloaded a malicious installer masquerading as WinSCP, a legitimate IT tool, which resulted in the deployment of the Oyster Backdoor. The malware was also found disguised as PuTTY, another admin tool. The download triggered the deployment of Oyster, which enabled the threat actors to exploit elevated privileges to move laterally and maintain persistence.
Rhysida ransomware, facilitated by initial access provided by threats such as Oyster, has continued to target various sectors, and BlueVoyant’s detection points to consistent activity by these operators. These actors are known for their persistence and ability to adapt to security measures.
Prevention and recommendations
BlueVoyant recommends using trusted sources for software downloads and to avoid clicking on links or attachments in emails that may be used as delivery vectors for malware. The company also advocates for continuous monitoring of digital environments and the subscription to threat intelligence services to remain aware of evolving threats.
“Organisations should have 24×7 monitoring to notice any suspicious activity. In addition, they should also have a subscription to threat intelligence to ensure they are aware of the latest threats.”
The report’s authors, Thomas Elkins, Joshua Green, and Ian Harte, led the investigation that underscored the need for vigilance among IT professionals and administrators when obtaining and deploying software tools, particularly those used for critical infrastructure management.
[ad_2]
Source link
