Rhysida is now taking advantage of users on Microsoft platforms to deliver malware, while abusing Microsoft code-signing certificates to make their files appear legitimate. The tech giant has revoked more than 200 certificates tied to the group, but researchers warn that the gang continues to find a way to slip past the cracks in security controls.
In its newest operation, Rhysida, previously known as Vice Society, is targeting users on platforms such as Microsoft Teams, Zoom, and PutTy.
The gang aims to gain access to company data via employees using these platforms.
First, the attackers buy Bing search engine advertisements. Once users click on them, they’re directed to malicious websites, where they're greeted with a very visible “Download” button. If the user proceeds to do as instructed on the malicious website, their computer gets infected with malware known as OysterLoader.
“The most recent campaigns push ads for Microsoft Teams and impersonate the download pages,” note researchers from Expel, who discovered the Rhysida scheme.
OysterLoader is an initial access tool that serves as a foot in the door – it allows attackers to install more malicious malware and stay inside. The longer the criminals are inside, the more they can steal.
The malware is encrypted to hide its functionality, keeping detection rates extremely low in the early stages. Researchers warn that this is a “common first step in a larger network intrusion.”
In addition, Rhysida has abused code-signing certificates, such as Microsoft’s Trusted Signing service. Operating systems use them as a way to valid if certain files come from legitimate sources. Rhysida managed to find a way around and therefore was able to bypass certain security controls.
These instances have increased Rhysida’s operations this year, with researchers having spotted more than 40 unique code-signing certificates between June and this month. In comparison, from May to September last year, just seven certificates were abused.
However, Rhysida’s operations are not limited to OysterLoader. Analysts have discovered that it also used Latrodectus malware, often signed with the same certificates.
To make its attacks more effective, the gang abused Microsoft’s Trusted Signing service. Normally, certificates from this service expire after 72 hours, thus making it hard for attackers to use them for criminal activity.
However, Rhysida found a way to sign their malware quickly and at scale. This allowed the gang to reach more victims before the certificates expired.
Microsoft has revoked over 200 certificates linked to the gang, but researchers warn that the malvertising campaign is still ongoing.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked