EXECUTIVE SUMMARY
A recent campaign has been found using SEO poisoning and malvertising to trick users into downloading fake versions of popular IT tools like PuTTY and WinSCP. These fake installers deliver a backdoor called Oyster/Broomstick that sets up persistence by creating a scheduled task running every few minutes, executing a malicious DLL. The campaign mainly targets IT users, but other tools could also be affected. Attackers rely on poisoned search results and automatic redirects, leading users to malicious sites within seconds, which is too fast for manual clicks. They also use domain spoofing and content hosted on trusted networks to appear legitimate. Short-lived certificates are abused to make the malware look signed and trusted, helping it bypass regular security checks.
The side of the attack shows a multi-step process designed to evade normal defenses. Users are first redirected from search engines to fake sites through ad networks. The malware is digitally signed with very short-lived certificates to bypass signature checks and reduce the chance of revocation. The executable uses backdoor techniques to connect to control servers, collect data, and maintain access if successful. Rapid detection rules on endpoints prevented the malware from connecting to these servers, stopping it from installing backdoors or stealing information. Multiple fake domains and fast redirects were used, and short-lived certificates were repeated in other attacks, showing a coordinated effort.
This highlights important lessons for security. Attackers are using trusted tools, automatic redirects, and short-lived certificates to spread malware quickly. Normal signature checks alone are not enough. Users should get software only from trusted sources and avoid relying on search results for downloads. Monitoring for unusual redirects, new domains, and short-lived certificates can help detect threats early. Fast response rules on endpoints are essential to block malware before it executes. The campaign shows that attackers continue to improve their methods, combining fake search results, malicious ads, certificate abuse, and DLL-based backdoors. Maintaining multiple layers of protection and monitoring user activity is key to staying safe from these fast-moving attacks.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Initial Access | T1189 | Drive‐by Compromise | – |
| Initial Access | T1204.002 | User Execution | Malicious File |
| Execution | T1218.011 | System Binary Proxy Execution | RUNDLL32 |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task/ Job |
| Defense Evasion | T1553.002 | Subvert Trust Controls | Code Signing |
| Defense Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| Defense Evasion | T1036.005 | Masquerading | Match Legitimate Resource Name or Location |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
|---|---|---|
| Execution | E1204 | User Execution |
| Defense Evasion | F0015.001 | Export Address Table Hooking |
| Command and Control | C0002.002 | HTTP Communication (Client) |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Discovery | E1082.m02 | Enumerate Environment Variables |
| Lateral Movement | E1105 | Ingress Tool Transfer |
| Anti-Behavioral Analysis | B0007.003 | Human User Check |
| Collection | C0051 | Read File |
| Process Micro-objective | C0017.003 | Create Suspended Process |
REFERENCES:
The following reports contain further
https://cybersecuritynews.com/weaponized-microsoft-teams-installer/
https://conscia.com/blog/from-seo-poisoning-to-malware-deployment-malvertising-campaign-uncovered/
https://arcticwolf.com/resources/blog/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-trojanized-tools/