SOC Incident Toolkit
Back to Campaigns
Operation CallSpoof

Operation CallSpoof

OysterBroomstickSEO-poisoningsupply-chain-lite

Operation CallSpoof is a malicious ad and SEO campaign that tricks users into downloading fake Microsoft Teams installers. These installers drop the Oyster (Broomstick) backdoor in AppData, set up a scheduled task for persistence, and connect to attacker servers for control. The campaign uses fake signatures and spoofed websites to appear legitimate and bypass basic checks.

Indicators of Compromise

Hashes (1)

d28b4136a7e6148de5c26a055c711f4f

Notes

<div class="content-body"> <span class="content-title">CONCLUSION</span> <p class="content-description">Operation CallSpoof shows how attackers use simple but effective lures along with operational tradecraft, such as poisoned search ads, fake download sites, trojanized installers, and scheduled tasks that call rundll32 to keep the attack going. The attack goes after people who are looking for common admin tools and collaboration apps, which means it can spread quickly to many businesses. Detection depends on keeping an eye on how users run files, create scheduled tasks, use rundll32, and connect to known C2 hosts in a suspicious way.&nbsp;</p> <p class="content-description">There are a number of ways that SOCRadar can help your team with this <a href="https://socradar.io/labs/campaigns/"> campaign:</a></p> <p class="content-description">*</p> <p class="content-description"><span class="content-title">IOC enrichment module:</span> take in the domain and hash IOCs (like nickbush24[.]com, techwisenetwork[.]com, and the SHA256s that Blackpoint published) and get context and history right away. SoCRadar</p> <p class="content-description">*</p> <p class="content-description"><span class="content-title">Malware Analysis or CTI modules:</span> connect the TTPs you've seen to MITRE and make detection playbooks that you can use in your SIEM. SOCRadar also has YARA and Sigma rule libraries that make it faster to make and test rules. SoCRadar</p> <p class="content-description">*</p> <p class="content-description"><span class="content-title">Integrated </span><a href="https://socradar.io/products/brand-protection/integrated-takedown/">takedown</a><span class="content-title"> and </span><a href="https://socradar.io/products/brand-protection/">brand protection</a><span class="content-title">:</span> SOCRadar can help you find fake domains and malicious ad placements and either take them down or keep an eye on them, which will limit the reach of the campaign. SoCRadar</p> </div>

Mitigation

<div class="content-container"> <span class="content-title">T1608.006 Stage Capabilities: SEO Poisoning</span> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1056">M1056</a></td> <td><a href="https://attack.mitre.org/mitigations/M1056">Pre-compromise</a></td> <td>This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.</td> </tr> </tbody> </table> </div> <span class="content-title">T1204.002 User Execution: Malicious File</span> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1040">M1040</a></td> <td><a href="https://attack.mitre.org/mitigations/M1040">Behavior Prevention on Endpoint</a></td> <td>On Windows 10, various Attack Surface Reduction (ASR) rules can be enabled to prevent the execution of potentially malicious executable files (such as those that have been downloaded and executed by Office applications/scripting interpreters/email clients or that do not meet specific prevalence, age, or trusted list criteria). Note: cloud-delivered protection must be enabled for certain rules.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1038">M1038</a></td> <td><a href="https://attack.mitre.org/mitigations/M1038">Execution Prevention</a></td> <td>Application control may be able to prevent the running of executables masquerading as other files.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1017">M1017</a></td> <td><a href="https://attack.mitre.org/mitigations/M1017">User Training</a></td> <td>Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.</td> </tr> </tbody> </table> </div> <span class="content-title">T1053.005 Scheduled Task/Job: Scheduled Task</span> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1047">M1047</a></td> <td><a href="https://attack.mitre.org/mitigations/M1047">Audit</a></td> <td>Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1028">M1028</a></td> <td><a href="https://attack.mitre.org/mitigations/M1028">Operating System Configuration</a></td> <td>Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1026">M1026</a></td> <td><a href="https://attack.mitre.org/mitigations/M1026">Privileged Account Management</a></td> <td>Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority.</td> </tr> </tbody> </table> </div> <span class="content-title">T1218.011 System Binary Proxy Execution: Rundll32</span> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1050">M1050</a></td> <td><a href="https://attack.mitre.org/mitigations/M1050">Exploit Protection</a></td> <td>Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass application control.</td> </tr> </tbody> </table> </div> <span class="content-title">T1553 Subvert Trust Controls</span> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1038">M1038</a></td> <td><a href="https://attack.mitre.org/mitigations/M1038">Execution Prevention</a></td> <td>System settings can prevent applications from running that haven't been downloaded through the Apple Store (or other legitimate repositories) which can help mitigate some of these issues. Also enable application control solutions such as AppLocker and/or Device Guard to block the loading of malicious content.</td> </tr> </tbody> </table> </div> </div>