Overview
- The company reports it disrupted the Vanilla Tempest campaign in early October after detecting it in late September and updated protections to flag related signatures for the fake installers, Oyster backdoor, and Rhysida ransomware.
- Vanilla Tempest, also known as Vice Society and VICE SPIDER, distributed trojanized MSTeamsSetup.exe from domains mimicking Microsoft Teams such as teams-download.buzz, teams-install.run, and teams-download.top.
- Users were funneled to the spoofed download sites through SEO poisoning and malicious advertisements that made the pages appear in search results for Microsoft Teams.
- Executing the fake installers launched a loader that deployed the signed Oyster backdoor, enabling remote access, file theft, command execution, and delivery of additional payloads.
- Investigators say the actor abused Trusted Signing and certificates from SSL.com, DigiCert, and GlobalSign to legitimize the malicious binaries, with Blackpoint Cyber first detailing the campaign last month.