The Rhysida ransomware group has been exploiting search engine advertisements to target unsuspecting users looking for Microsoft Teams. When individuals click on these ads, they are directed to a malicious website that downloads malware instead of the legitimate software.
According to an analysis by Aaron Walton, a threat intelligence analyst at Expel, this malicious campaign began in June and is still ongoing. “We”re currently monitoring Rhysida”s operation that utilizes malicious advertisements to distribute OysterLoader malware,” Walton explained in a recent blog post.
Walton further noted that this campaign is not restricted to just OysterLoader; it also involves the Latrodectus malware, which is used to gain initial access to compromised networks. This follows a previous campaign by Rhysida that impersonated Teams and occurred from May to September 2024.
Operating under a ransomware-as-a-service (RaaS) model, Rhysida provides tools and infrastructure for affiliates to execute attacks, sharing the ransom profits. The group, which has been active since at least 2021 under various names, rebranded itself as Rhysida in 2023 and has since utilized its own variant of ransomware.
Since June, Rhysida has claimed responsibility for the data leaks of 27 organizations, with a total of around 200 since the start of 2023. It is important to note that the total number of victims is likely higher, as those listed on the leak site typically did not pay the ransom.
The latest campaign employs malvertising techniques, where the attackers purchase search engine ads—specifically on Bing—to guide potential victims to a counterfeit website that mimics a legitimate download page for Microsoft Teams. They often use typosquatting tactics, registering domain names that are slightly altered from the authentic ones.
Upon clicking the advertisement, users unintentionally download the malicious OysterLoader installer onto their devices. To evade detection by antivirus software, Rhysida employs a packing tool to obscure the malware”s functionality. Walton mentioned that due to this obfuscation, only a small number of detection engines typically identify the malware, often taking days before more antivirus programs flag it.
Additionally, the group utilizes code-signing certificates to deceive Windows into trusting their harmful files. In the first phase of Rhysida”s malvertising campaign involving Microsoft Teams, researchers identified seven certificates. However, the second phase, which began in June, saw a significant increase in the number of files and over 40 security certificates used, indicating a greater investment in operational resources.
If successful in bypassing an organization”s security defenses, the malware then deploys ransomware on the infected machines, leading to demands for extortion payments. Earlier this month, Microsoft announced that it had revoked more than 200 certificates previously employed by Vanilla Tempest in fraudulent Teams installation files designed to distribute Rhysida”s ransomware.
In response to inquiries from The Register, a Microsoft spokesperson stated that they could not disclose further information beyond what was shared on social media by their threat intelligence team. Walton confirmed that the Rhysida activity documented in the recent blog aligns with the campaign that Microsoft reported on October 15.
As cybersecurity experts become aware of this campaign, it is anticipated that the tactics employed by Rhysida will evolve. Expel plans to continue monitoring and tracking Rhysida”s activities, providing an ongoing list of indicators for further analysis.
