15th September, 2024

Shell Shocked: The Oyster Backdoor Update

In September 2024, a new version of the Oyster Backdoor, also known as CleanUpLoader, was discovered. It spread through fake software downloads via ads on search engines, posing as legitimate applications like Teams, Edge, and Chrome. The malware was linked to a specific company issuing certificates and showed similarities to earlier Oyster campaigns.
oyster image

In early September 2024, a limited set of observations emerged, suggesting a potential update to the Oyster backdoor (Broomstick), now referred to as CleanUpLoader, as dubbed by @RussianPanda9xx. These observations are primarily centred around a specific signing company responsible for issuing certificates linked to the deployed malware variants. By analysing the tactics, techniques, and procedures (TTPs) associated with CleanUpLoader and comparing them with the newly deployed executables, I was able to identify key patterns and draw meaningful conclusions.

2024 04 05_18h09_11

Figure 1: Depicts the malicious signed executables, including their icons and the associated signer name

My observations indicate that these executables were distributed through malvertising via sponsored advertisements in various search engines, consistent with previous Oyster Backdoor campaigns. The compromised websites impersonated legitimate software download platforms for popular applications like Teams, Edge, or Chrome, but instead delivered the malicious variants referenced above.

2024 04 05_18h21_21

Figure 2: An example of a malicious sponsored advertisement on Google Search
Credits - MalwareBytes

2024 04 05_18h30_18

Figure 3: An example of a malicious Teams website
Credits - Rapid7

I proceeded to collect all the malicious binaries to analyze the changes introduced since the previous version of the Oyster Backdoor. I was surprised to find minor updates even within the small subset of applications I analysed.

2024 04 05_18h21_21%20%281%29

Figure 4: Depicts malicious executables I analysed that are associated with the same signer

To begin, I verified that all the executables listed above were signed by the same signer.

2024 04 05_18h21_21%20%282%29

Figure 5: Depicts all the executables being analysed are signed by the same signer

Beginning with Chrome.exe, we observe that all strings in the .data section are in plaintext, and IP addresses are presented in a hex-encoded format. This pattern of the IP address encoding is consistent across all versions of the malware.

CleanShot%2B2024 09 15%2Bat%2B16.57.52@2x

Figure 6: Depicts the C2 IP addresses, DLL names, imported functions, as well as the PowerShell and system reconnaissance commands observed in the Chrome.exe binary

Upon closer examination, it becomes apparent that the strings appear unusual due to a special decoding scheme employed by this binary. Specifically, if a hex byte in the .data section is 0x20 or any value greater than or equal to 0x60, the decoder subtracts 0x20 from it. Conversely, if the byte is less than 0x60, it adds 0x20 to it.

Using this, we can decode the C2 IP addresses above, which yields the below result.

CleanShot%2B2024 09 15%2Bat%2B18.40.26@2x

Figure 7: Depicts the decoded C2 IP addresses observed in the Chrome.exe binary

Moving on to the Teams1.exe sample, the XOR key 0x04 is very evident from the repeating pattern in the .data section.

CleanShot%2B2024 09 15%2Bat%2B17.04.30@2x

Figure 8: Depicts the repeating 0x04 pattern observed in the Teams1.exe binary

By performing the XOR operation with the previously mentioned key and cleaning up the data structures, the following data is revealed.

CleanShot%2B2024 09 15%2Bat%2B17.12.52@2x

Figure 9: Depicts the C2 IP addresses, DLL names, imported functions, as well as the PowerShell and system reconnaissance commands observed in the Teams1.exe binary

In the Edge.exe binary, the XOR encryption pattern is similar. The repeating pattern indicates that the XOR key used is 0x95 in the .data section.

CleanShot%2B2024 09 15%2Bat%2B17.21.18@2x

Figure 10: Depicts the repeating 0x95 pattern observed in the Edge.exe binary

By applying a similar XOR operation and cleanup to the Edge.exe binary with the correct XOR key, as done with the Teams1.exe binary, we can retrieve the encrypted strings, as shown below.

CleanShot%2B2024 09 15%2Bat%2B18.47.53@2x

Figure 11: Depicts the C2 IP addresses, DLL names, imported functions, as well as the PowerShell and system reconnaissance commands observed in the Edge.exe binary

The Teams3.exe binary exhibits similarities to the Edge.exe and Teams1.exe binaries, including the use of a fixed XOR key for extracting plaintext strings. The repeated pattern observed in the Teams3.exe binary is shown below.

CleanShot%2B2024 09 15%2Bat%2B18.54.38@2x

Figure 12: Depicts the repeating 0x81 pattern observed in the Teams3.exe binary

By applying a similar XOR operation and cleanup to the Teams3.exe binary with the correct XOR key, as done with the Teams1.exe and Edge.exe binaries, we can retrieve the encrypted strings, as shown below.

CleanShot%2B2024 09 15%2Bat%2B18.59.46@2x

Figure 13: Depicts the C2 IP addresses, DLL names, imported functions, as well as the PowerShell and system reconnaissance commands observed in the Teams3.exe binary

The Teams2.exe binary operates differently by embedding a legitimate copy of Teams within its resources, along with an additional resource containing the backdoor, as illustrated below.

CleanShot%2B2024 09 15%2Bat%2B19.28.55@2x

Figure 14: Displays the .rsrc section of the Teams2.exe binary, which contains two resources—one being the legitimate Teams binary and the other a backdoor binary

We can verify the legitimacy of the Microsoft Teams copy by inspecting its digital signature, which is signed by Microsoft. In contrast, the second binary is unsigned, with the product name "technical" and a copyright attribution to the "technical Team" as shown below.

CleanShot%2B2024 09 15%2Bat%2B19.23.00@2x

Figure 15: Displays the Microsoft-signed Teams binary on the left and the unsigned backdoor binary details on the right

On inspecting the backdoor binary in further detail, we observe that this binary exhibits similarities to the Edge.exe, Teams3.exe and Teams1.exe binaries, including the use of a fixed XOR key for extracting plaintext strings. The repeated pattern observed in the backdoor binary is shown below.

CleanShot%2B2024 09 15%2Bat%2B19.41.55@2x

Figure 16: Depicts the repeating 0x7F pattern observed in the backdoor binary

By applying a similar XOR operation and cleanup to the backdoor binary with the correct XOR key, as done with the Teams1.exe, Teams3.exe and Edge.exe binaries, we can retrieve the encrypted strings, as shown below.

CleanShot%2B2024 09 15%2Bat%2B19.47.03@2x

Figure 17: Depicts the C2 IP addresses, DLL names, imported functions, as well as the system reconnaissance commands observed in the backdoor binary

A key observation is that this backdoor binary lacks the PowerShell command found in the previously analysed binaries. The reason for this omission will be discussed shortly.

Now that we have extracted the IOCs, let's examine the execution of this binary and analyse how the TTPs align with the Oyster Backdoor (CleanUploader/Broomstick). In the case of all binaries, except Teams2.exe, upon execution, they connect to a malicious domain to download the legitimate installer for the targeted application (Teams, Edge, Chrome, etc.) and install it to avoid raising suspicion, similar to CleanUpLoader. After successful installation, the binaries establish communication with their C2 server over port 443.

In previous instances of CleanUpLoader, the CleanUpXX.dll binary was embedded within the .rsrc section. However, in this case, it is downloaded from the C2 server and executed via hard-coded rundll32.exe commands found across all binaries, invoking the export function "rundll" within the downloaded DLL file.

The key difference with the Teams2.exe binary is that, since it already pre-packages the legitimate Teams installer, it does not connect to any malicious domain to download it. Instead, it extracts the installer from the .rsrc section, drops it onto the disk, and executes it to install the application. Once the installation is complete, the backdoor binary, also present in the .rsrc section, reaches out to the C2 server and follows the same procedures as the other binaries.

Additional Reading

IOCs

The indicators mentioned here are based on the analysis conducted by me and do not include any externally referenced indicators.

Name IOC Type
Chrome.exe 53ef19d7be0ba3e806e8dc558737725a MD5
Edge.exe 614cc21ab0f47b6006bebef6f6dfe19a MD5
Teams1.exe 9775a2e2d71d2a54f3d520cf716b1e9a MD5
Teams2.exe 113daf83beb775df8d0b87efa276e7f2 MD5
backdoor.exe f721eafc0eac8c03a0babc801263d244 MD5
Teams3.exe 5405c52eac7700c421bbfc818d3d2cea MD5
Malicious Domain to Download Legitimate Apps https://apple-online.shop/ URL
C2 128.140.55.152 IP
C2 159.65.0.17 IP
C2 38.132.122.155 IP
Malicious Certificate Signer

Fuzhou Xingmeng Information Technology Co., Ltd.

Signer
contact
logo
Custom HTML here.