Oyster Backdoor Gets Upgrade: Rhysida Ransomware Gang Uses SEO Poisoning in New Attack
On July 10, 2024, an unnamed private school was attacked by the Rhysida ransomware group, utilizing a new version of the Oyster Backdoor, also known as Broomstick. This updated variant of Oyster was first detected by Rapid7 at the end of June this year and employs SEO Poisoning to deceive users into downloading malicious installers disguised as legitimate software such as Google Chrome and Microsoft Teams.
During the aforementioned attack, the Oyster Backdoor was deployed on the user’s endpoint, likely via a malicious IP scanner distributed through malvertising. The malicious DLL associated with this attack communicates with the domain “codeforprofessionalusers[.]com,” which ThreatDown researchers have identified as an Oyster command and control server.
One of the notable methods used in this attack was input capture, allowing the theft of administrative credentials for clients’ hypervisors. Certain tasks and malicious directories identified in this incident were added to the ThreatDown detection database.
The attackers used the stolen SSH credentials to access NAS devices and VMware hypervisors, bypassing the real-time protection layer of ThreatDown Endpoint Protection (EP), which enabled them to deploy Rhysida. As the client relied solely on EP instead of EDR or MDR, the suspicious activity went undetected.
The ransomware encrypted VMDK files on the hypervisor and possibly other critical data on NAS devices. Additionally, local backups were encrypted, necessitating the use of secondary backups for data restoration.
Since its emergence in June 2023, the Rhysida group has conducted over 107 confirmed attacks, with approximately 30% of the victims being in the education sector. To prevent attacks and mitigate their consequences, the following practices are recommended:
- Eradicate all traces of the attack. After isolating and halting the initial breach, it is essential to remove all traces of the intruders, their malware, and methods of ingress.
- Block common points of entry. Develop a plan for quickly addressing vulnerabilities in internet-exposed systems; enhance remote access protection (RDP and VPN); utilize endpoint protection software.
- Detect intrusions. Segment networks and restrict access rights, using EDR or MDR to detect unusual activity.
- Create additional offline backups. Keep backups out of the reach of attackers and regularly test data restoration capabilities.
Continuous vigilance, regular staff training, and a multi-layered security strategy are also crucial factors in preventing and mitigating the impact of cyberattacks. Ultimately, investments in cybersecurity are investments in the future and stability of any organization.