Skip to content

Malicious Chrome and Teams downloads are putting people at risk

  • by
  • 3 min read

An intricate malvertising campaign is targeting unsuspecting users attempting to download widely used software, including Google Chrome and Microsoft Teams. By exploiting typo-squatted domains and deceptive advertising, attackers are luring users into downloading malicious installers, ultimately deploying the dangerous Oyster backdoor, also known as Broomstick.

Oyster is typically introduced through a loader disguised as a legitimate software installer. Once executed, the loader drops the main component, Oyster Main, which performs system reconnaissance, establishes communication with command-and-control (C2) servers, and facilitates remote code execution.

The attack starts with malicious advertising, where cybercriminals buy ad space on well-known search engines like Google and Bing. These advertisements led users to typo-squatted websites almost identical to legitimate software download pages. For instance, the site hxxps:\\microsoft-teams-download[.]com mimics the real Microsoft Teams site.

“Users were directed to these websites after using search engines such as Google and Bing for Microsoft Teams software downloads,” said Rapid7 researchers. “The websites were masquerading as Microsoft Teams websites, enticing users into believing they were downloading legitimate software when, in reality, they were downloading the threat actor’s malicious software.”

Malicious Microsoft Teams website mimicking the original one. | Source: Rapid7

When users download from these sites, they get a malicious installer file, such as MSTeamsSetup_c_l_.exe, which is deceptively signed with a certificate from “Shanxi Yanghua HOME Furnishings Ltd.”

Further investigation by researchers revealed that numerous malicious files signed with the same fraudulent certificate were also used by the threat actor. On May 29. 2024, researchers found an installer named TMSSetup.exe, which was signed by ‘Shanghai Ruikang Decoration Co., Ltd.”

When researchers analysed the MSTeamsSetup_c_l_.exe file, they found that it contained embedded binaries executed during installation. One of these binaries, CleanUp30.dll, was pivotal in deploying the backdoor. The process involves running CleanUP30.dll via rundll32.exe with a command. This command ensures the backdoor is activated without raising suspicion.

Upon activating, CleanUp30.dll creates a mutex to prevent multiple instances from running simultaneously. it sets up a scheduled task named ClearMngs to rerun the DLL every three hours, maintaining persistence on the infected system.

CleanUp30.dll execution. | Source: Rapid7

CleanUp30.dll collects extensive system information, including domain details, user credentials, and machine identifiers, which it encodes and sends to the C2 servers. It employs the Boost.Beast library for HTTP and web socket communication with domains like whereeverhomebe[.]com, supfoundrysettlers[.]us, and retdirectyourman[.]eu.

Researchers also observed post-infection activities, including a PowerShell script that established persistence via a DiskCleanUp shortcut.Ink. This script executed additional payloads like k1.ps1, main.dll, and getresult.exe. These payloads allowed attackers to perform extensive system enumeration and maintain long-term control over the compromised systems.

Cybersecurity experts advise users to exercise caution when downloading software, ensuring they visit the official vendor website. Organisations should deploy advanced endpoint detection solutions to monitor suspicious activities.

In the News: Google’s Gemini AI app supports 9 Indian languages

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: