Oyster backdoor

Oyster (also known as Broomstick or CleanUpLoader) is a backdoor malware that was first seen in July 2023. Written in C++, it allows for remote sessions and can do file transfers and command line operations. Oyster has been used by various threat actors to support ransomware attacks.

Key Insights

Oyster infects systems through deceptive means such as malvertising. Users looking for popular software like Microsoft Teams or Google Chrome are directed to fake websites offering trojanized installers. When users download and run these installers, the Oyster backdoor is dropped and the attackers get access to the compromised systems.

Features

Once installed Oyster collects system info and talks to its command-and-control (C2) server. It can execute commands via cmd.exe and run additional files, giving the attacker full control of the infected host. This allows for the deployment of further malicious payloads including ransomware.

Evolution and Connections

First seen by IBM researchers in September 2023, Oyster has been associated with various cybercriminal activity. The Rhysida ransomware operation targeted an academic institution using the Oyster backdoor to deliver ransomware. This shows Oyster is being used to support more destructive malware.

Known Variants

Oyster is also known as Broomstick and CleanUpLoader in other reports. These are the same malware family with the same functionality and behavior.

Mitigation Strategies

Be careful when downloading software; check the source is legitimate.
Use web filtering to block known malicious sites.
Keep your security software up to date to detect and prevent malware.
Run security awareness training to educate users about phishing and malvertising.

Targeted Industries or Sectors

Oyster has been seen in various sectors including academia and legal services. The malvertising campaigns for Oyster target users looking for popular software downloads so any industry can be affected.

Associated Threat Actors

Oyster is associated with the Russian linked threat group ITG23 also known as Periwinkle Tempest, Wizard Spider or Gold Blackburn. This group is known for distributing TrickBot malware and other cybercriminal activity.