BlueVoyant investigated the latest Oyster malware attacks, delivered in a widespread campaign targeting IT professionals by impersonating legitimate IT tools.
The campaign was originally discovered by outside researchers, but when BlueVoyant’s SOC observed suspicious behaviour in a client environment within the healthcare sector, the team, including the Threat Fusion Cell (TFC), decided to delve deeper.
BlueVoyant notes Oyster has a close working relationship with the ransomware family Rhysida, which has at least 10 victims since the beginning of June, according to its ransomware leak website, and the adversaries appear to remain prevalent and active.
Inside the Attack: From Installer to Backdoor
The BlueVoyant team observed Oyster Backdoor being utilised to deploy additional payloads within a client environment operating in the healthcare sector. Payloads are code in malware designed to perform unauthorised actions. After conducting a thorough investigation, BlueVoyant determined that an IT user downloaded a malicious installer masquerading as WinSCP, a legitimate IT tool, which resulted in the deployment of the Oyster Backdoor. The malware was also found disguised as PuTTY, another admin tool. The download triggered the deployment of Oyster, which enabled the threat actors to exploit elevated privileges to move laterally and maintain persistence.
Within hours, the attackers created new admin accounts and attempted to deploy Havoc Command and Control (C2) on a domain controller. Thanks to rapid detection and response by BlueVoyant’s Security Operations Center (SOC), the attack chain was disrupted before further damage could occur.
The Oyster Backdoor: A Familiar Threat, Evolved
BlueVoyant researchers noted several updates in the observed malware compared to previous samples, indicating ongoing development and refinement. The backdoor still maintains its core capabilities wherein it can collect detailed system and user information, establish C2 communication, and deploy follow-on payloads for further compromise.
Infrastructure Links to Rhysida Ransomware
BlueVoyant’s TFC identified infrastructure links between this campaign and the activity cluster known as TAG-124, previously reported by outside researchers.
The adversary behind Oyster is believed to be an initial access operator for Rhysida ransomware. This connection underscores the broader threat posed by these campaigns, which often serve as precursors to ransomware deployment.
For a more detailed technical analysis BlueVoyant SOC dealing with the Oyster Backdoor, please the full report.
