A notorious ransomware group is spreading fake Microsoft Teams ads to snare victims. Search engine users should be cautious about downloading Microsoft Teams, as the Rhysida ransomware group is using fake ads to distribute malware. Cybersecurity firm Expel discovered an ongoing malicious ad campaign delivering a malware called OysterLoader, previously known as Broomstick and CleanUpLoader. This is the group's second campaign to impersonate the workplace collaboration platform in the last eighteen months. OysterLoader is an initial access tool (IAT) that, once downloaded, runs a backdoor to gain long-term access to the device and network. The current infection chain is built on a highly successful malvertising model, where threat actors buy Bing search engine advertisements to direct users to convincing-looking, but malicious landing pages. These search engine ads put links to the download right in front of potential victims. The group uses a packing tool that effectively hides the capabilities of the malware and results in a low static detection rate when the malware is first seen. They also use code-signing certificates, as used by genuine software publishers, to give their own malicious files a higher level of trust. Notably, this helped Expel detect the campaign. Rhysida is ramping up attacks, using both OysterLoader and Latrodectus malware to gain initial access to networks. Rhysida ranks among one of the few cyber criminal groups to be leveraging Trusted Signing from Microsoft, the company’s own service for issuing code-signing certificates. Attackers are using Trusted Signing certificates for both OysterLoader and Latrodectus and appear to have found a way around the built-in features designed to limit misuse. Rhysida first appeared as Vice Society in 2021, but rebranded as Rhysida in 2023, and operates on a Ransomware as a Service (RaaS) double extortion model. Since 2023, the group has posted around 200 victims on its data leak site, including governments, healthcare organizations, and critical infrastructure industries. Earlier this year, the group claimed responsibility for attacks on the Oregon Department of Environmental Quality, the Cookville Regional Medical Center in Tennessee, Sunflower Medical Group in Kansas, and the Community Care Alliance, a mental illness and addiction group. The group also hit the Maryland Department of Transportation and the British Library. Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews. MORE FROM ITPRO * How hackers bypass MFA – and what to do about it * Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workers * Ransomware victims are refusing to play ball with hackers
