Between July 24-31, 2024, Blackpoint’s Security Operations Center (SOC) responded to 84 total incidents. These incidents included 15 on-premises MDR incidents, 1 Cloud Response for Google Workspace, and 68 Cloud Response for Microsoft 365 incidents, with confirmed or likely threat actor use of:
- Unnamed infostealer malware for collection and exfiltration;
- Vanilla Tempest using Oyster Backdoor for persistence; and
- NetSupport RAT for persistence.
In this blog, we’ll dive into the details behind these select incidents, including why they’re important for partners to account for today – even if they’ve not been attacked yet! – as well as possible mitigations leveraging your current tech stack and Blackpoint Cyber.
Unnamed Infostealer Malware Incident with Healthcare Partner on July 24, 2024
Topline Takeaways
- Industry target: Healthcare
- Attacker information:
- Previously unnamed infostealer malware
- .dll binary file
- Virtual Private Server in the Netherlands
- Antivirus (AV) and / or EDR present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to use various new and / or previously unreported infostealer malware strains for collection and exfiltration to exploit other Healthcare organizations over the next 12 months.
- Recommended remediations and mitigations:
- Employee security training
- Dedicated software center
- Password managers
- Least-privilege access controls
Unnamed Infostealer Incident Timeline for 2024-07-24
- Blackpoint MDR+R technology alerted to suspicious PowerShell activity on a Healthcare partner’s host.
- Initial investigation by Blackpoint’s Active SOC team found an unnamed infostealer malware associated with the anomalous PowerShell activity:
- The unnamed infostealer was likely delivered by a .dll file executed on the infected host.
- The threat also attempted communication with a Virtual Private Server based in the Netherlands.
- Active SOC analysts isolated the impacted Healthcare host to prevent additional malicious activity, before reaching out to our partner with more information and remediation advice.
More About Infostealer Malware
Click for details
Information stealing (“infostealing”) malware is just that: Malicious software designed to gather information from a compromised environment, sending it back to the threat actor for either direct use or extortion.
This type of malware tends to target specific information types, including:
- Payment data,
- Browser-stored data,
- User credentials, and
- Cryptocurrency wallets.
Threat groups have deployed various forms of information stealing malware since at least 2006, when security teams and researchers first detected “ZeuS” (AKA Zbot) (1).
Today, both advanced persistent threats (APTs) and cybercriminal groups use infostealers, as data stolen from victims can be used for multiple reasons, such as:
- Facilitating future compromises and malicious activities via stolen credentials;
- Selling personal information or payment card details on cybercriminal forums; and
- Spying on victims for acts of corporate and government-sponsored espionage, for political, economic, and / or financial gain.
APG Threat Analysis of General Infostealer Malware for 2024
Click for details
The APG predicts that threat actors will very likely continue to use general infostealer malware for collection and exfiltration of sensitive data from targeted victim organizations and users over the next 12 months.
We base this assessment on internal Blackpoint observed attack patterns, as well as external incident reports detailing threat actors’ use of information stealers.
- In 2024, S2W security researchers with S2W reported that the North Korea-linked Kimsuky advanced persistent threat (APT) group (AKA APT43, Black Banshee, Velvet Chollima, Emerald Sleet) leveraged a Golang-based information stealing malware, Troll Stealer, to target organizations in South Korea (2).
- Troll Stealer reportedly collects and exfiltrates:
- Files and directories,
- Browser data,
- System information, and
- Screen captures.
- Troll Stealer reportedly collects and exfiltrates:
- Also in 2024, Fortinet FortiGuard Labs security researchers reported a malware campaign exploiting the Microsoft Windows SmartScreen vulnerability CVE-2024-21412 (CVSS: 8.1) to deploy infostealers – including ACR Stealer, Lumma Stealer, and Meduza Stealer (3).
- The unnamed threat actors reportedly used phishing emails with malicious attachments to spread files, exploiting the vulnerability to download malicious executable files, including infostealers.
- The infostealers targeted:
- Browser data,
- Messenger applications,
- Email clients,
- User credentials, and
- Other relevant victim information for exploitation and exfiltration.
Recommended Infostealer Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following actions to help mitigate the deployment and use of information stealing malware, such as the unnamed infostealer deployed during this incident.
- Conduct employee security awareness training, including how to spot a phishing email and how and when to report them to an incident response authority. As many threat actors still rely on social engineering tactics to gain initial access, security training can help lower the risk of falling victim to download malicious software or legitimate tools for malicious actions.
- Provide a dedicated software center, which allows employees to download approved software from a safe and monitored location.
- Require the use of secure password managers, and disable the storage of plaintext passwords and local password caching to make accessing passwords more difficult.
- Implement the practice of least privilege, which ensures regular user accounts are unable to install certain tools and access sensitive data that can be stolen by infostealers.
Vanilla Tempest and Oyster Backdoor Incident Timeline with Legal Services Partner on July 25, 2024
Topline Takeaways
- Industry target: Legal Services
- Attacker information:
- Vanilla Tempest
- Oyster Backdoor
- Gootloader
- Antivirus (AV) and / or EDR present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use Vanilla Tempest and Oyster Backdoor to exploit other Legal Services organizations over the next 12 months.
- Recommended remediations and mitigations:
- Multifactor authentication (MFA)
- Application allowlisting and blocklisting
- Scripting language controls
- Heuristics-based activity monitoring and remediation
Vanilla Tempest and Oyster Backdoor Incident Timeline for 2024-07-25
- Blackpoint MDR+R technology alerted to Vanilla Tempest activity on a Legal Services partner’s host machine.
- Initial investigation by Blackpoint’s Active SOC team identified a .dll file execution running scheduled task “OppCleanTp”, which used rundll32.exe to executed the Test entry point of the .dll file.
- The .dll reached out to an Australian OVH IP address, which previous security research and incident reports link to Oyster Backdoor malware (4).
- Further investigation on the impacted host and its scheduled tasks identified:
- An .exe binary file running and calling out to a remote Linux machine in England, and was initially dropped as an implant.
- An active Gootloader infection, initially downloaded from a .js file “Account Directors.js” zipped in a file named “What_does_job_on_a_client_contract_mean_[…].zip”.
- When executed, the .js file created a scheduled task on the host, “Corporate turn-around”, and provided the initial access vector for the threat actor to drop an additional loader and implant for attempted environment persistence.
- Active SOC analysts isolated the affected Legal Services hosts and deleted the malicious scheduled tasks to prevent additional malicious activity, before reaching out to the partner with more information and remediation advice.
More About Vanilla Tempest, Oyster Backdoor, and Gootloader
What is Vanilla Tempest?
Vanilla Tempest (AKA DEV-0832, TAC5278) is a financially-motivated threat group that was attributed to the Vice Society ransomware (5).
In 2023, Sophos security researchers observed the Vanilla Tempest group deploying the Rhysida ransomware variant, likely switching from the Vice Society ransomware operation (6).
What is Oyster Backdoor malware?
First observed in September 2023, Oyster Backdoor malware (AKA Broomstick, CleanUpLoader) is a loader and backdoor malicious software package associated with the threat group ITG23 (AKA Periwinkle Tempest, Wizard Spider, Gold Blackburn)(8).
Threat actors deploy Oyster Backdoor in victim environments to:
- Gain persistence,
- Collect basic information, and
- Communicate with the attacker’s command and control (C2) server.
What is Gootloader?
Offered as an Initial-Access-as-a-Service (IAaaS) tool on criminal forums (7), Gootloader malware is a first stage downloader designed to target Windows-based operating systems (OS) and has been actively used by multiple threat groups since at least 2020.
Researchers and security teams frequently observe Gootloader using scheduled tasks and PowerShell commands for persistence – both tactics seen in this specific incident.
APG Threat Analysis of Oyster Backdoor for 2024
Click for details
The APG predicts that threat actors will likely continue to deploy Oyster Backdoor malware over the next 12 months to gain persistence and deploy second-stage payloads.
We base this assessment on internal Blackpoint-observed attacks, as well as external reporting, such as:
- In 2024, security researchers with Rapid7 reported a malvertising campaign that lured users into downloading malicious software installers – including Google Chrome and Microsoft Teams – that were then used to install Oyster Backdoor malware (9). The threat actors gained persistence and then attempted to deploy multiple second-stage payloads.
- Also in 2024,Malwarebytes security researchers reported that the Rhysida ransomware operation targeted an academic entity and used the Oyster backdoor to deliver the ransomware (10).
- In this campaign, the threat operators also used SEO-poisoned search results to lure victims into downloading malicious installers – similar to the campaign reported by Rapid7 above.
Recommended Oyster Backdoor Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following actions to help mitigate the deployment of loader and backdoor malware, including Oyster Backdoor.
- Enable multi-factor authentication (MFA), which can help identify malicious or anomalous logins and require an additional step for securing user accounts.
- Implement application controls to help manage and control the installation of software that is frequently observed in malware attacks.
- Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors often rely on scripting languages to deploy malware and conduct malicious activities.
- Monitor system activity through heuristics-based triggers and alerts, rather than depending solely on indicators of compromise (IoCs) to detect unusual access patterns that could be indicative of malicious behavior by threat actors.
NetSupport RAT Incident with Consumer Cyclicals Partner on July 25, 2025
Topline Takeaways
- Industry target: Consumer Cyclicals
- Attacker information:
- NetSupport RAT
- cscript.exe
- .vbs binary file
- Antivirus (AV) and / or EDR present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to use NetSupport RAT to exploit other Consumer Cyclicals organizations over the next 12 months.
- Recommended remediations and mitigations:
- Employee security training
- Scripting language controls
- Multifactor authentication (MFA)
- Zero trust network architecture
NetSupport RAT Incident Timeline for 2024-07-25
- Blackpoint MDR+R technology alerted to a NetSupport RAT process “client32.exe” on the host of a Consumer Cyclicals partner.
- Initial investigation by Blackpoint’s Active SOC team found the problematic client32.exe file:
- Using cscript.exe to execute a .vbs file.
- Executing a suspected callout command to another host within the environment.
- Active SOC analysts isolated the impacted hosts to prevent additional malicious activity, before reaching out to the Consumer Cyclicals partner with more information and remediation advice.
More About NetSupport RAT
Click for details
As the APG explained in previous incidents involving NetSupport RAT (12), the NetSupport Manager is a legitimate remote support tool that has been frequently abused by multiple threat actors for malicious activities (11).
NetSupport RAT is a malicious spinoff of the legitimate NetSupport Manager supports multiple features for illicit purposes, including:
- File transfers,
- Remote access to compromised environments,
- Keylogging, and
- Controlling system resources.
Due to the malware’s widespread availability for both malicious and legitimate use cases, the use of NetSupport RAT alone cannot be attributed to a single threat actor. Threat actors of all skill levels abuse the NetSupport tool, even if they lack the necessary technical knowledge or resources needed to use custom malware or tools.
This widespread use of NetSupport RAT leads to a variety of initial access methods; however, social engineering appears to remain a top choice for threat actors to deploy the NetSupport RAT.
APG Threat Analysis of NetSupport RAT in 2024
Click for details
The APG predicts that threat actors will very likely continue to use NetSupport RAT for peristence over the next 12 months.
We base this assessment on multiple internal Blackpoint observed attacks – including several publicly reported ones, such as:
- A July 10, 2024, incident with a Technology partner;
- Multiple incidents on June 24 and 26, 2024, with Real Estate, Industrials, and Institutions & Organizations partners; and
- A May 6, 2024, incident with an Industrials partner.
External reporting related to observed use of NetSupport RAT further corroborates the APG’s and Active SOC’s observations.
Of particular note is a May 2024 threat brief from ConnectWise, which included a list of the top five malware observed in the previous month – with NetSupport RAT topping their list (13).
This report and others like it suggest that there is little incentive for threat actors to abandon NetSupport RAT, which is clearly easily accessible and widely effective across a broad range of victim organizations and environments.
Recommended NetSupport RAT Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following actions to help mitigate threat actor use of NetSupport RAT on compromised systems.
- Conduct employee security awareness training, including how to spot a phishing email and how and when to report them to an incident response authority.
- Minimize the use of – or implement strict controls on – the use of scripting languages, including restricting script use by end users who do not need such abilities for their regular duties. Script controls limit a threat actors’ ability to leverage malicious scripts on compromised user profiles and endpoints.
- Use multifactor authentication (MFA) and virtual private networks (VPNs) wherever feasible, to ensure only identified and authorized employees can access sensitive data and resources with an additional level of credential authentication.
- Operate from a zero-trust mentality, which assumes that all requests to each resource is malicious and embodies aggressive and continuous monitoring and management.
References and Resources
A quick note on incident details:
As these analyses concern recent incidents in actively monitored environment, certain details may be occasionally omitted and / or obfuscated, to better secure our partners and protect any still-ongoing investigations.
However, we felt that these incidents were important enough to bring to the community’s attention as fast as possible, and so included them in this public writeup.
Please feel free to reach out to the APG directly if you have any questions about a specific incident!
Click for full reference list
- Flashpoint’s Blog: “The Evolution and Rise of Stealer Malware” by Flashpoint Intel Team on 2024-01-10
- S2W’s Blog: “Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.)” by Jiho Kim; Sebin Lee on 2024-02-07
- Fortinet’s Blog: “Exploiting CVE-2024-21412: A Stealer Campaign Unleashed” by Cara Lin on 2024-07-23
VirusTotal’s Repository: “139.999.221.140” by VirusTotal on 2024-07-28- Microsoft’s Blog: “DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector” by Microsoft Threat Intelligence on 2022-10-25
Sophos’s Blog: “Same threats, different ransomware” by Colin Cowie; Morgan Demboski on 2023-11-10- Blackpoint Cyber’s Blog: “How Internet Access Brokers Fuel Cybercrime and What You Can Do About It” by Blackpoint Cyber on 2024-03-06
- IBM’s Report: “Broomstick Analysis Report (IRIS-17079)” by IBM X-Force on 2024-03-21
- Rapid7’s Blog: “Malvertising Campaign Leads to Execution of Oyster Backdoor” by Rapid7 on 2024-06-17
Malwarebytes’s Blog: “Rhysida using Oyster Backdoor to deliver ransomware” by Bill Cozens on 2024-07-24
VMware’s Blog: “NetSupport RAT: The RAT King Returns” by Alan Ngo; Abe Schneider; Fae Carlisle on 2023-11-20- Blackpoint Cyber’s Blog: “CrowdStrike BSOD Help, Advanced IP Scanner, TeamViewer, NetSupport RAT, & AsyncRAT” by Blackpoint Cyber on 2024-07-19
Connectwise’s Blog: “Monthly Threat Brief: May 2024” by Bryson Medlock on 2024-06-24