Fake Microsoft Teams Installer Delivers Oyster Malware

A sophisticated malvertising campaign is currently targeting businesses through Microsoft Teams malware installers. The CyberFlow cybersecurity team has analysed a few instances and knows that the fake installers actually deliver the dangerous Oyster backdoor malware.

This weaponised Microsoft Teams malware attack is deployed through poisoned search engine results and abused code-signing certificates to compromise corporate systems. The level of sophistication highlights the evolving tactics cybercriminals use to breach enterprise networks.

Understanding the Microsoft Teams Malware Attack

The new malvertising campaign was first identified on the 25^th of October. Cybersecurity experts discovered that hackers used SEO poisoning and search engine ads to promote fraudulent websites offering Microsoft Teams downloads.

When users search for “Microsoft Teams download” or similar terms, these malicious sites appear prominently in search results, creating a dangerous trap for IT professionals and employees seeking legitimate software.

How the Oyster Malware Attack Works

The infection chain begins when victims click on malicious advertisements or poisoned search results, leading to fake download sites. The campaign leverages abused code-signing certificates to make the malicious files appear trustworthy, bypassing initial security checks that many users rely on to verify software legitimacy.

Upon execution, the malicious installer deploys the Oyster backdoor, also known as Broomstick, a modular multistage malware designed for persistent remote access. This Microsoft Teams malware doesn’t just install a backdoor—it establishes a continuous foothold within the compromised system.

Oyster Malware Capabilities

The Oyster malware, also known as Broomstick and CleanUpLoader, is a backdoor that first appeared in mid-2023 and has since been linked to multiple campaigns. Once installed, Oyster backdoor can give attackers remote access to compromised systems.

The malicious file operates stealthily, often evading detection while establishing command-and-control communications with remote servers. Key capabilities of this malicious file include:

• System reconnaissance: Harvesting detailed information about the infected device and network
• Credential theft: Stealing authentication credentials and sensitive data
• Remote command execution: Allowing attackers to run arbitrary commands
• Payload delivery: Downloading and deploying additional malware, including ransomware
• Persistence mechanisms: Ensuring the malware survives system reboots and security scans
• Data exfiltration: Transferring stolen information to attacker-controlled servers

Written in C++, Oyster allows remote sessions and can perform file transfers and command-line operations. It has been used by various threat actors to support ransomware attacks. This connection to ransomware operations makes Oyster malware particularly dangerous for enterprises, as initial backdoor access can quickly escalate to devastating encryption attacks.

The Broader Malvertising Threat Landscape

This Microsoft Teams malware attack represents just one vector in a broader malvertising campaign that has targeted multiple popular software applications.

Previously, similar campaigns impersonated tools like PuTTY, WinSCP, Google Chrome, and other IT management software. The consistent pattern reveals that organised threat actors are systematically targeting IT professionals and enterprise users who frequently download business-critical applications.

Prevention: How to Protect Your Organisation

Defending against Microsoft Teams malware attacks and similar threats requires a multi-layered security approach combining technology, processes, and people:

Employee Security Awareness Training

• Teach source verification: Train employees to download software only from official vendor websites, not search engine results
• Recognise malicious indicators: Educate staff on identifying suspicious URLs, certificate warnings, and unusual installation behaviours
• Report suspicious activity: Create clear reporting channels for potential security incidents
• Simulate phishing attacks: Conduct regular testing to reinforce secure download practices
• Update training regularly: Keep security awareness current with evolving threat landscapes

Implement Zero Trust Architecture

• Verify every access request: Never assume trust based on network location or previous authentication
• Continuous authentication: Enforce ongoing verification throughout user sessions
• Micro-segmentation: Limit lateral movement by segmenting network resources
• Monitor all traffic: Inspect and log all network communications, including internal traffic
• Assume breach mentality: Design security controls assuming attackers may already be inside

Apply the Principle of Least Privilege

• Minimise user permissions: Grant only the access necessary for specific job functions
• Restrict installation rights: Prevent standard users from installing unauthorised software
• Limit administrative access: Reduce the number of accounts with elevated privileges
• Regular privilege reviews: Audit and adjust permissions based on current responsibilities
• Just-in-time access: Provide temporary elevated permissions only when needed

Protect Your Business with CyberFlow!

The Microsoft Teams malware attack shows that even trusted software brands can be exploited by sophisticated threat actors. As malicious file distribution methods evolve and Oyster malware campaigns become more advanced, organisations need cybersecurity solutions that surpass traditional antivirus protection.

Don’t wait until a malicious file compromises your network. Contact CyberFlow today to learn how our advanced cybersecurity solutions can protect your business from sophisticated malware attacks and keep your digital assets secure!