Malvertising Campaign Leads to Execution of Oyster Backdoor | Rapid7 Blog By Rapid7 Published: 2024-06-17 · Archived: 2026-04-05 16:32:26 UTC The following analysts contributed to this blog: Thomas Elkins, Daniel Thiede, Josh Lockwood, Tyler McGraw, and Sasha Kovalev. Executive Summary Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams. The installers were being used to drop a backdoor identified as Oyster, aka Broomstick. Following execution of the backdoor, we have observed enumeration commands indicative of hands-on-keyboard activity as well as the deployment of additional payloads. In this blog post, we will examine the delivery methods of the Oyster backdoor, provide an in-depth analysis of its components, and offer a Python script to help extract its obfuscated configuration. Overview Initial Access In three separate incidents, Rapid7 observed users downloading supposed Microsoft Teams installers from typo-squatted websites. Users were directed to these websites after using search engines such as Google and Bing for Microsoft Teams software downloads. Rapid7 observed that the websites were masquerading as Microsoft Teams websites, enticing users into believing they were downloading legitimate software when, in reality, they were downloading the threat actor’s malicious software. Figure 1 - Fake Microsoft Teams Website https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/ Page 1 of 10 In one case, a user was observed navigating to the URL hxxps://micrsoft-teams-download[.]com/, which led to the download of the binary MSTeamsSetup_c_l_.exe. Initial analysis of the binary MSTeamsSetup_c_l_.exe showed that the binary was assigned by an Authenticode certificate issued to “Shanxi Yanghua HOME Furnishings Ltd”. Figure 2 - MSTeamsSetup_c_l_.exe File Information Searching VirusTotal for other files signed by “Shanxi Yanghua HOME Furnishings Ltd” showed the following: Figure 3 - VirusTotal Signature Search Results The results indicated other versions of the installer, each impersonating as a legitimate software installer. We observed that the first installer was submitted to VirusTotal around mid-May 2024. In a related incident that occurred on May 29, 2024, we observed another binary posing as a Microsoft Teams setup file, TMSSetup.exe, which was assigned a valid certificate issued to “Shanghai Ruikang Decoration Co., Ltd”. As of May 30, 2024, that certificate has been revoked. VirusTotal analysis of the binary MSTeamsSetup_c_l_.exe indicates it is associated with a malware family known as Oyster, dubbed Broomstick by IBM. What is Oyster/Broomstick? Oyster aka Broomstick aka CleanUpLoader is a family of malware first spotted in September of 2023 by researchers at IBM. While not much is known about the malware, it was delivered via a loader called Oyster Installer, which masqueraded as a browser installer. The installer was responsible for dropping the backdoor component, Oyster Main. Oyster Main was https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/ Page 2 of 10 responsible for gathering information about the compromised host, handling communication with the hard-coded command-and-control (C2) addresses, and providing the capability for remote code execution. In February, researchers on Twitter observed the same backdoor component and started to name the Oyster Main backdoor, CleanUpLoader. In recent incidents, Rapid7 has observed Oyster Main being delivered without the Oyster Installer. Technical Analysis Initial analysis of the binary MSTeamsSetup_c_l_.exe revealed that two binaries were stored within the resource section. During execution, a function was observed using FindResourceA to locate the binaries, followed by LoadResource to access them. These binaries were then subsequently dropped into the Temp folder. We observed that the intended names of the two binaries dropped by MSTeamsSetup_c_l_.exe were CleanUp30.dll and MSTeamsSetup_c_l_.exe (the legitimate Microsoft Teams installer). After dropping the binary CleanUp30.dll into the Temp directory, the program executes the DLL, passing the string rundll32.exe %s,Test to the function CreateProcessA, where %s stores the value CleanUp30.dll. Figure 4 - Execution of CleanUp30.dll After the execution of CleanUp30.dll, the program proceeds to initiate the legitimate Microsoft Teams installer, MSTeamsSetup_c_l_.exe, also located within the Temp directory. This tactic is employed to avoid raising suspicion from the user. CleanUp30.dll Analysis During the execution of CleanUp30.dll, Rapid7 observed that the binary starts by attempting to create the hard coded mutual exclusion (mutex) ITrkfSaV-4c7KwdfnC-Ds165XU4C-lH6R9pk1. Mutex creation is often used by programs in order to determine if the program is already running another instance. If the program is already running, the program will terminate the new instance. After creating the mutex, the binary determines its execution path by calling the function GetModuleFilenameA. The value is stored as a string and used as a parameter for the creation of a scheduled task, ClearMngs. The scheduled task is created https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/ Page 3 of 10 using the function ShellExecuteExW, passing the following as the command line: schtasks.exe /create /tn ClearMngs /tr "rundll32 '\CleanUp30.dll',Test" /sc hourly /mo 3 /f The purpose of the scheduled task ClearMngs is to execute the binary \CleanUp30.dll with the exported function of Test using rundll32.exe every three hours. After the creation of the scheduled task, the binary then proceeds to decode its C2 servers using a unique decoding function. The decoding function begins by taking in a string of encoded characters, and its length is in bytes. The decoding function then proceeds to read in each byte, starting from the end of the encoded string. Figure 5 - The DLL’s Decoding Loop Each byte of the encoded string is used as an index location to retrieve the decoded byte from a hard-coded byte map. A byte map is a byte array containing 256 bytes in a randomized order, one for each possible byte value from 1 to 256. Malware authors sometimes use this technique to obfuscate strings and other data. The iteration counter (i) used within the condition for the decoding loop is compared to half of the encoded string’s length as the decoding loop swaps two bytes at a time. The bytes of the encoded string are decoded and swapped beginning at the start and end bytes of the string and the decoding loop then progresses towards the center of the string from each end. The loop swaps the bytes to reverse the decoded string, as the original plaintext strings stored in the malware were reversed prior to encoding. When the center of the string is reached, the decoding process is complete. Due to this algorithm, all the encoded strings that are passed must be of even length to avoid further processing. Immediately after the decoded string is loaded onto the stack, the malware then re-encodes the string using a similar loop. The final result for the first decoded string is a carriage return line feed (CRLF) delimited list of C2 domains. We constructed a Python script that can decode all the encoded strings contained within the CleanUp.dll binaries, including previous versions. The Python script can be found in our GitHub repository. https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/ Page 4 of 10 Figure 6 - Sample Output from Python Script Using our Python script, it revealed some of the C2 functionality, along with several JSON fields that are used to build a fingerprint of the infected system: Hex Encoded String Decoded String 2ec6a676766fc6f4960e86 api/connect 50b0aea6747686b64eaef69e2ec6a64e96262ea64e supfoundrysettlers.us 50b0b6f6c674a646a6b6f6164ea66ea64ea616ee whereverhomebe.com 50b0ceae74ce4ea6362e2ea6ce9e4e2676aef6660eaece retdirectyourman.eu 76f6ce56f476f6962e86c696360e0e86045ca60e9e2ab42e76a62e76f6c2 Content-Type: application/json 76f696cece65cef4960e86 api/session a61ea67426b6c63a346ceaf2eace9eca3a \SysWOW64\cmd.exe a61ea6744ccc36362676ae4e3a2c6ceaf2eace9eca3a \SysWOW64\rundll32.exe d2f2 OK 3a0eb6a62a3a \Temp\ 445c442696fa267686b6b6f6c6443444 ","command_id":" be44 "} 445c44649644de {"id":" 445c442e36aecea64e443444 ","result":" 445c442696fa76f696cecea6ce443444 ","session_id":" https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/ Page 5 of 10 Hex Encoded String Decoded String 445c44ceae2e862ece443444 ","status":" 2e1e2e740eae7686a636c63a \cleanup.txt 445c44a6b68676fa4e652eae0eb6f6c6443444 ","computer_name":" 0ccc445c4476f696ce72a66efa363626443444 ","dll_version":"30 445c44769686b6f626443444 ","domain":" be44 "} 445c44649644de {"id":" 445c443686c6f636fa0e96443444 ","ip_local":" 445c44cef6443444 ","os":" 445c44263696ae46facef6443444 ","os_build":" 445c44a6e6a636656e964e0e443444 ","privilege":" After the binary decodes the C2 addresses, the program proceeds to fingerprint the infected machine, using the following functions: Function Description DsRoleGetPrimaryDomainInformation Used to gather information about the domain the compromised machine resides in. In particular, the function returns the domain name. GetUserNameW Provides the name of the user in which the program is running under. NetUserGetInfo Provides details of the user under which the program is running. In this case, the program is querying if the user is admin or user. GetComputerNameW Provides the name of the compromised machine in which the binary is running on. RtlGetVersion Returns version information about the currently running operating system including name and version number. Figure 7 - A Selection of Contents of the CleanUp30.dll Code that Outline the Collection of System Information While enumerating information about the host, the information is stored in the JSON fields uncovered from the encoded strings identified above. https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/ Page 6 of 10 Figure 8 - Example of the Data Collected and Sent via HTTP POST to the Malicious Domains The fingerprint information is encoded using the same loop previously discussed, where the data string is reversed and encoded using a byte map before being sent. After the information is encoded, it is sent to the domains whereverhomebe[.]com/, supfoundrysettlers[.]us/, and retdirectyourman[.]eu/ via HTTP POST method. Rapid7 determined that CleanUp30.dll uses the open-source C++ library Boost.Beast to communicate with the observed C2 domains via HTTP and web sockets. Figure 9 - Captured Network Traffic Attempting to Send POST Requests to whereverhomebe[.]com/ and supfoundrysettlers[.]us/ Following the Execution of CleanUp30.dll Follow-on Activity In one of the incidents Rapid7 observed, a PowerShell script was spawned following the execution of another version of CleanUp30.dll, CleanUp.dll. CleanUp.dll, similar to CleanUp30.dll, was originally dropped by the other fake Microsoft Teams installer, TMSSetup.exe, which dropped the binary into the AppData/Local/Temp directory as well. Figure 10 - PowerShell Command Creating .lnk File DiskCleanUp.lnk The purpose of the PowerShell script was to create a shortcut LNK file named DiskCleanUp.lnk within C:\Users\ \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\. By doing so, this ensured that the LNK file DiskCleanUp.lnk would be run each time the user logged in. The shortcut LNK file was responsible for executing the binary CleanUp.dll using rundll32.exe, passing the export Test. Following the execution of the PowerShell script, Rapid7 observed execution of additional payloads: k1.ps1 main.dll getresult.exe Unfortunately, during the incident, we were unable to acquire the additional payloads. During the incidents, Rapid7 also observed execution of the following enumeration commands: Enumeration Description systeminfo Provides information about the system's software and hardware configuration https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/ Page 7 of 10 Enumeration Description arp -a Shows a list of all IP addresses that the local computer has recently interacted with, along with their corresponding MAC addresses net group 'domain computers' /domain Lists the "Domain Computers" group within an Active Directory domain "C:\Windows\system32\nslookup.exe" myip.opendns.com resolver1.opendns.com Determines the external IP address whoami /all Provides detailed information about the current user including user's privileges, group memberships, and security identifiers (SIDs) nltest /dclist: Lists all the domain controllers (DCs) for a specific domain net user admin Provides detailed information about the user 'admin' including profile information, group memberships, local group memberships, etc reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /s Queries the registry to find information about installed software findstr "DisplayName" Used to filter information, showing only items contained under "DisplayName" Rapid7 Customers InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this malware campaign: Persistence - SchTasks Creating A Task Pointed At Users Temp Or Roaming Directory Suspicious Process: RunDLL32 launching CMD or PowerShell Persistence - Schtasks.exe Creating Task That Executes RunDLL32 Network Discovery - Nltest Enumerate Domain Controllers Attacker Technique - Determining External IP Via Command Line Suspicious Process - .lnk in PowerShell Command Line MITRE ATT&CK Techniques Tactic Technique Description Resource Development Acquire Infrastructure: Domains (T1583.001) Threat Actor set up typo-squatted domain micrsoft-teams-download[.]com in order to aid in the delivery of the executable MSTeamsSetup_c_l_.exe Execution Command and Scripting Interpreter: Powershell (T1059.001) Used to create .lnk file DiskCleanUp.lnk and execute the PowerShell payload k1.ps1 Execution User Execution: Malicious File (T1204.002) User executes the binary MSTeamsSetup_c_l_.exe Persistence Scheduled Task (T1053.005) CleanUp30.DLL and CleanUp.DLL create scheduled task ClearMngs https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/ Page 8 of 10 Tactic Technique Description Defense Evasion Masquerading: Match Legitimate Name or Location (T1036.005) MSTeamsSetup_c_l_.exe masquerades as legitimate Microsoft Teams installer Defense Evasion Virtualization/Sandbox Evasion: Time Based Evasion (T1497.003) Execution delays are performed by several stages throughout the attack flow Collection Data from Local System (T1005) Threat Actors enumerated information about compromised hosts using the backdoor CleanUp DLL's Command and Control Data Encoding - Non Standard Encoding (T1132.002) CleanUp DLL's send encoded data to C2's using unique encoding function IOCs IOC Hash Description TMSSetup.exe 9601f3921c2cd270b6da0ba265c06bae94fd7d4dc512e8cb82718eaa24accc43 The malicious executable dow from prodfindfeature MSTeamsSetup_c_l_.exe 574C70E84ECDAD901385A1EBF38F2EE74C446034E97C33949B52F3A2FDDCD822 The malicious executable dow from prodfindfeature CleanUp30.dll CFC2FE7236DA1609B0DB1B2981CA318BFD5FBBB65C945B5F26DF26D9F948CBB4 The .dll file tha by run32dll.exe following the e of MSTeamsSetup CleanUp.dll 82B246D8E6FFBA1ABAFFBD386470C45CEF8383AD19394C7C0622C9E62128CB94 The .dll file tha by run32dll.exe following the e of TMSSetup.e DiskCleanUp.lnk An .lnk file tha created followi execution of CleanUp30.dll prodfindfeatures[.]com/ - The domain ho malicious files TMSSetup (1). MSTeamsSetup micrsoft-teams-download[.]com/ - The typo-squat domain that us impresoralaser[.]pro/ - Part of the dom redirect chain f downloads of T (1).exe and MSTeamsSetup whereverhomebe[.]com/ - Domain that CleanUp30.dll https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/ Page 9 of 10 IOC Hash Description CleanUp.dll att communicate w supfoundrysettlers[.]us/ - Domain that CleanUp30.dll CleanUp.dll att communicate w retdirectyourman[.]eu/ - Domain that CleanUp30.dll CleanUp.dll att communicate w 149.248.79[.]62 - Resolving IP fo whereverhome 64.95.10[.]243 - Resolving IP fo supfoundrysett 206.166.251[.]114 - Resolving IP fo retdirectyourm References Article URL Broomstick Malware Profile https://exchange.xforce.ibmcloud.com/malware-analysis/guid:08822f57c12416bc3e74997c473d1889 Twitter Mention of CleanUpLoader https://x.com/RussianPanda9xx/status/1757932257765945478 NEVER MISS AN EMERGING THREAT Be the first to learn about the latest vulnerabilities and cybersecurity news. Subscribe Now Source: https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/ https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/ Page 10 of 10