Warning: Fake Microsoft Teams Installers Spreading Potent “Oyster” Malware
Microsoft Teams is an essential collaboration tool for millions of businesses and individuals worldwide. Its widespread use, however, has made it a prime target for cybercriminals. A sophisticated and dangerous malvertising campaign is currently exploiting the platform’s popularity to distribute a potent information-stealing malware known as Oyster, or FakeBat.
This campaign preys on unsuspecting users looking to download the application, using malicious search engine ads to lead them into a carefully constructed trap. Understanding how this attack works is the first step toward protecting yourself and your organization.
The Attack Begins with a Deceptive Search
The attack vector is both simple and highly effective: malvertising. Cybercriminals, identified as the threat group TA571, purchase ad space on major search engines. When a user searches for terms like “Microsoft Teams download,” these malicious ads appear at the very top of the results page, often looking more legitimate than the organic search results below them.
The goal is to trick the user into clicking the ad instead of the official Microsoft download link. Once clicked, the user is redirected to a malicious website designed to perfectly mimic the official Microsoft Teams landing page. These fake sites often use “typosquatting” domains—subtly misspelled URLs like microsft-teams-app[.]com—that can easily be overlooked by a user in a hurry.
From Fake Installer to Full-Scale Infection
Once on the fraudulent site, the user is prompted to download what appears to be a legitimate installer file, typically a ZIP archive named something like MSTeams-x64-full.zip. However, the contents of this archive are the key to the infection.
Inside the ZIP file is an MSIX application installer. When the user runs this file, it triggers a chain of malicious actions:
- PowerShell Execution: The installer executes a hidden PowerShell script. This script is the engine of the attack, designed to bypass security measures and prepare the system for the main payload.
- Component Download: The script connects to a public repository like GitHub to download additional malicious files. Using legitimate services like GitHub helps the malware evade network-based detection.
- UAC Bypass: Crucially, the malware attempts to bypass Windows User Account Control (UAC). This is the security feature that asks for your permission before making significant changes to your system. By disabling or bypassing it, the malware can operate with elevated privileges without alerting the user.
- Oyster Malware Deployed: With the system’s defenses lowered, the primary payload, the Oyster infostealer, is installed.
What is Oyster Malware and What Can It Steal?
Oyster malware is a formidable threat designed for one primary purpose: data theft. Once active on a compromised system, it meticulously scours the machine for sensitive information and sends it back to the attacker’s command-and-control server.
The data it targets includes:
- Browser Credentials: Saved usernames and passwords from web browsers like Chrome, Edge, and Firefox.
- Session Cookies: Active login session data that can be used to hijack online accounts without needing a password.
- Cryptocurrency Wallets: Files and data related to popular crypto wallets.
- Financial Information: Stored credit card details and other financial data.
Beyond simple data theft, the attack also installs a remote access tool (RAT) on the victim’s machine. This provides the cybercriminals with persistent access, allowing them to conduct further surveillance, move laterally across a network, or deploy additional malware like ransomware at a later date.
How to Protect Yourself from This Threat
This campaign highlights the importance of vigilance and proper security hygiene, especially when downloading software. Follow these essential security tips to stay safe:
- Download Directly from the Source: Never use a search engine to find and download software. Go directly to the official vendor’s website (in this case,
microsoft.com). Bookmark the official download pages for software you frequently use. - Scrutinize Search Results: Be extremely wary of sponsored ads at the top of search results. While many are legitimate, they are a prime channel for malvertising. Always check the display URL in the ad to ensure it is the correct, official domain.
- Inspect URLs Carefully: Before entering information or downloading a file, double-check the URL in your browser’s address bar. Look for misspellings, extra characters, or unusual domain extensions.
- Use Comprehensive Security Software: Ensure you have a reputable antivirus or endpoint detection and response (EDR) solution installed and kept up to date. These tools can often detect and block malicious scripts and files before they can cause harm.
- Keep User Account Control (UAC) Enabled: Do not disable UAC. Always review UAC prompts carefully. If an application you don’t recognize is requesting administrative privileges, deny it.
- Educate Your Team: For businesses, ongoing user education is critical. Ensure your employees know the risks of malvertising and are trained to only download software from authorized, official sources.
Source: https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-installers-push-oyster-malware-via-malvertising/
