Cybersecurity researchers have discovered a malicious campaign that uses SEO-optimized phoney landing pages to propagate the Oyster malware loader.
Security experts at Arctic Wolf unearthed that threat actors have designed numerous landing sites that mimic two well-known Windows tools for securely connecting to remote servers: PuTTY and WinSCP.
People who search for these tools on Google (primarily IT, cybersecurity, and web development professionals) can be duped into visiting the fraudulent website because these pages seem exactly like their authentic equivalents. Since nothing on the sites would raise their suspicions, users might download the tool, which would perform as intended but would also deliver Oyster, a well-known malware loader also known as Broomstick or CleanUpLoader.
"Upon execution, a backdoor known as Oyster/Broomstick is installed," Arctic Wolf noted. "Persistence is established by creating a scheduled task that runs every three minutes, executing a malicious DLL (twain_96.dll) via rundll32.exe using the DllRegisterServer export, indicating the use of DLL registration as part of the persistence mechanism.”
Oyster is a stealthy malware loader that delivers malicious payloads to infiltrated Windows systems, usually as part of a multi-stage attack. To avoid detection and preserve persistence, it employs techniques such as process injection, string obfuscation, and HTTP-based command-and-control. Here are some of the phoney websites utilised in the attacks: UpdaterPutty.com and ZephyrHype. com putty. Run putty[.]bet and putty[.]org.
Arctic Wolf emphasised that other tools might have been misused in the same way, even though it only specified PuTTY and WinSCP. They stated that although only Trojanized versions of WinSCP and PuTTY have been detected in this campaign, other tools might also be at play. Out of caution, IT professionals are encouraged to only download software from reputable sites and to type in addresses themselves rather than simply searching them and clicking on the first result.
