Investigating the Oyster Backdoor Campaign and its Targeting of IT Professionals

BlueVoyant investigated the latest Oyster malware attacks, delivered in a widespread campaign targeting IT professionals by impersonating legitimate IT tools. The campaign was originally discovered by outside researchers, but when BlueVoyant’s SOC observed suspicious behavior in a client environment within the healthcare sector, the team, including the Threat Fusion Cell (TFC), decided to delve deeper. BlueVoyant notes Oyster has a close working relationship with the ransomware family Rhysida, which has at least 10 victims since the beginning of June, according to its ransomware leak website, and the adversaries appear to remain prevalent and active. 

Inside the Attack: From Installer to Backdoor 

The BlueVoyant team observed Oyster Backdoor being utilized to deploy additional payloads within a client environment operating in the healthcare sector. Payloads are code in malware designed to perform unauthorized actions. After conducting a thorough investigation, BlueVoyant determined that an IT user downloaded a malicious installer masquerading as WinSCP, a legitimate IT tool, which resulted in the deployment of the Oyster Backdoor. The malware was also found disguised as PuTTY, another admin tool. The download triggered the deployment of Oyster, which enabled the threat actors to exploit elevated privileges to move laterally and maintain persistence. 

Within hours, the attackers created new admin accounts and attempted to deploy Havoc Command and Control (C2) on a domain controller. Thanks to rapid detection and response by BlueVoyant’s Security Operations Center (SOC), the attack chain was disrupted before further damage could occur. 

The Oyster Backdoor: A Familiar Threat, Evolved 

BlueVoyant researchers noted several updates in the observed malware compared to previous samples, indicating ongoing development and refinement. The backdoor still maintains its core capabilities wherein it can collect detailed system and user information, establish C2 communication, and deploy follow-on payloads for further compromise.  

Infrastructure Links to Rhysida Ransomware 

BlueVoyant’s TFC identified infrastructure links between this campaign and the activity cluster known as TAG-124, previously reported by outside researchers.  

The adversary behind Oyster is believed to be an initial access operator for Rhysida ransomware. This connection underscores the broader threat posed by these campaigns, which often serve as precursors to ransomware deployment. 

For a more detailed technical analysis BlueVoyant SOC dealing with the Oyster Backdoor, please read our full report. 

How to Prevent Malware Attacks 

When downloading software or updates, always use trusted sources. Avoid clicking on links and attachments in emails. 

Organizations should have 24x7 monitoring to notice any suspicious activity. 

In addition, they should also have a subscription to threat intelligence to ensure they are aware of the latest threats. 

How BlueVoyant Protects Against Threats Like Oyster 

BlueVoyant’s global SOC, TFC, and Threat Hunt teams work 24x7 to detect, investigate, and neutralize threats like Oyster. Our threat intelligence, rapid incident response, and proactive threat hunting capabilities help ensure that clients are protected from the latest threats. This is part of our MDR service.  To learn more about it, please contact us. 

Thomas Elkins is a Tier 3 SOC Analyst, Joshua Green is a Principal Security Researcher, and Ian Harte is a Threat Hunt Analyst.