Imagine searching for Microsoft Teams, seeing a text link at the top of the results, visiting it, and then getting hit with malware. The Rhysida ransomware gang, an especially insidious criminal organization that has stolen millions of people’s info, has been placing fake ads for Microsoft Teams in search engines and then infecting victims who make the mistake of clicking them.
“We’re tracking Rhysida’s current campaign leveraging malicious advertisements to deliver OysterLoader malware (also known as Broomstick and CleanUpLoader),” Expel threat intel analyst Aaron Walton said in a Friday blog. According to the managed detection and response firm, the OysterLoader campaign began in June and remains ongoing.
“We’ve seen new advertisements, new domains, and new malware as recently as this past Wednesday,” Walton told The Register. In the blog, he also noted that Rhysida’s activity isn’t limited to OysterLoader malware. “During the current campaign, they’re also using the Latrodectus malware to get initial access to networks.”
This follows an earlier Rhysida campaign, also impersonating Teams, that ran from May 2024 to September 2024.
Rhysida operates as a ransomware-as-a-service (RaaS) model, with core developers providing malware tools and infrastructure to affiliates, who carry out attacks and take a share of the ransom profits.
The group has been operating since at least 2021 as Vice Society (aka Vice Spider, Vanilla Tempest) and using various ransomware variants before rebranding as Rhysida in 2023 and using Rhysida ransomware in its attacks.
Rhysida has posted 27 organizations on its data leak site since June, and around 200 since 2023. Its total victim count is likely higher, as the ones that end up on the leak site are those who did not pay the ransom demand.
The gang’s latest campaign uses malvertising to deliver OysterLoader, previously known as Broomstick and CleanUpLoader.
With malvertising, the criminals buy search engine ads – Bing, in this particular case – to direct victims to a fake, but realistic-looking malware-laced website, often using typosquatting, registering a name or domain that’s one or two letters off from a legitimate one, to impersonate an official site. In this case, the user lands on a phony download page for Microsoft Teams.
The search engine serves up the ad links, and when a user clicks on the link, they download a malicious installer, OysterLoader, onto their machine.
To ensure a lower detection rate by VirusTotal and other anti-virus engines – and ultimately successful ransomware infection – Rhysida is using a packing tool to hide the malware’s capabilities. “Due to their obfuscation, it is common for five or fewer detection engines to flag the malware and it can take several days before more AV engines flag the malware,” Walton said.
The ransomware criminals also use code-signing certificates to help trick Windows into trusting their malicious files.
During the gang’s first Microsoft Teams malvertising campaign in 2024, researchers tracked seven certificates. The second wave, however, that began in June saw a massive increase in files and more than 40 security certificates used, “indicating higher operational tempo and resource investment,” Walton wrote.
Assuming that these tricks work and the malware bypasses organizations’ security tools, the loader then deploys ransomware on the compromised computers and the attackers demand an extortion payment.
‘Same activity’ reported by Microsoft
It’s worth noting that earlier this month, Microsoft said it revoked more than 200 certificates that Vanilla Tempest used in fake Teams setup files to ultimately deliver Rhysida ransomware.
The Register asked Microsoft if these code-signing certificates were related to the activity Expel documented, and a spokesperson said Redmond couldn’t share any information beyond what the threat intel team posted on social media.
Walton, however, told us that the Rhysida campaign documented in the Friday blog is the same one Microsoft reported on October 15.
“We saw Microsoft’s post but have been tracking the same activity and wanted to share more details and specifics we feel are important to understanding this behavior,” he said. “We’ve also reported files with Microsoft Trusted Signing certificates to their team.”
As defenders catch on to this campaign, it will likely change and Expel says it will continue to monitor and track Rhysida’s activity with this list of indicators on GitHub. ®
