Vanilla Tempest, Oyster Backdoor, NetSupport RAT, & Infostealers

Information stealing (“infostealing”) malware is just that: Malicious software designed to gather information from a compromised environment, sending it back to the threat actor for either direct use or extortion.

This type of malware tends to target specific information types, including:

• Payment data,
• Browser-stored data,
• User credentials, and
• Cryptocurrency wallets.

Threat groups have deployed various forms of information stealing malware since at least 2006, when security teams and researchers first detected “ZeuS” (AKA Zbot) (1).

Today, both advanced persistent threats (APTs) and cybercriminal groups use infostealers, as data stolen from victims can be used for multiple reasons, such as:

• Facilitating future compromises and malicious activities via stolen credentials;
• Selling personal information or payment card details on cybercriminal forums; and
• Spying on victims for acts of corporate and government-sponsored espionage, for political, economic, and / or financial gain.

The APG predicts that threat actors will very likely continue to use general infostealer malware for collection and exfiltration of sensitive data from targeted victim organizations and users over the next 12 months.

We base this assessment on internal Blackpoint observed attack patterns, as well as external incident reports detailing threat actors’ use of information stealers.

• In 2024, S2W security researchers with S2W reported that the North Korea-linked Kimsuky advanced persistent threat (APT) group (AKA APT43, Black Banshee, Velvet Chollima, Emerald Sleet) leveraged a Golang-based information stealing malware, Troll Stealer, to target organizations in South Korea (2).
  • Troll Stealer reportedly collects and exfiltrates:
    • Files and directories,
    • Browser data,
    • System information, and
    • Screen captures.
• Also in 2024, Fortinet FortiGuard Labs security researchers reported a malware campaign exploiting the Microsoft Windows SmartScreen vulnerability CVE-2024-21412 (CVSS: 8.1) to deploy infostealers – including ACR Stealer, Lumma Stealer, and Meduza Stealer (3).
  • The unnamed threat actors reportedly used phishing emails with malicious attachments to spread files, exploiting the vulnerability to download malicious executable files, including infostealers.
  • The infostealers targeted:
    • Browser data,
    • Messenger applications,
    • Email clients,
    • User credentials, and
    • Other relevant victim information for exploitation and exfiltration.

Blackpoint’s APG recommends the following actions to help mitigate the deployment and use of information stealing malware, such as the unnamed infostealer deployed during this incident.

• Conduct employee security awareness training, including how to spot a phishing email and how and when to report them to an incident response authority. As many threat actors still rely on social engineering tactics to gain initial access, security training can help lower the risk of falling victim to download malicious software or legitimate tools for malicious actions.
• Provide a dedicated software center, which allows employees to download approved software from a safe and monitored location.
• Require the use of secure password managers, and disable the storage of plaintext passwords and local password caching to make accessing passwords more difficult.
• Implement the practice of least privilege, which ensures regular user accounts are unable to install certain tools and access sensitive data that can be stolen by infostealers.

Vanilla Tempest (AKA DEV-0832, TAC5278) is a financially-motivated threat group that was attributed to the Vice Society ransomware (5).

In 2023, Sophos security researchers observed the Vanilla Tempest group deploying the Rhysida ransomware variant, likely switching from the Vice Society ransomware operation (6).

First observed in September 2023, Oyster Backdoor malware (AKA Broomstick, CleanUpLoader) is a loader and backdoor malicious software package associated with the threat group ITG23 (AKA Periwinkle Tempest, Wizard Spider, Gold Blackburn)(8).

Threat actors deploy Oyster Backdoor in victim environments to:

• Gain persistence,
• Collect basic information, and
• Communicate with the attacker’s command and control (C2) server.

Offered as an Initial-Access-as-a-Service (IAaaS) tool on criminal forums (7), Gootloader malware is a first stage downloader designed to target Windows-based operating systems (OS) and has been actively used by multiple threat groups since at least 2020.

Researchers and security teams frequently observe Gootloader using scheduled tasks and PowerShell commands for persistence – both tactics seen in this specific incident.

The APG predicts that threat actors will likely continue to deploy Oyster Backdoor malware over the next 12 months to gain persistence and deploy second-stage payloads.

We base this assessment on internal Blackpoint-observed attacks, as well as external reporting, such as:

• In 2024, security researchers with Rapid7 reported a malvertising campaign that lured users into downloading malicious software installers – including Google Chrome and Microsoft Teams – that were then used to install Oyster Backdoor malware (9). The threat actors gained persistence and then attempted to deploy multiple second-stage payloads.
• Also in 2024,Malwarebytes security researchers reported that the Rhysida ransomware operation targeted an academic entity and used the Oyster backdoor to deliver the ransomware (10).
  • In this campaign, the threat operators also used SEO-poisoned search results to lure victims into downloading malicious installers – similar to the campaign reported by Rapid7 above.

Blackpoint’s APG recommends the following actions to help mitigate the deployment of loader and backdoor malware, including Oyster Backdoor.

• Enable multi-factor authentication (MFA), which can help identify malicious or anomalous logins and require an additional step for securing user accounts.
• Implement application controls to help manage and control the installation of software that is frequently observed in malware attacks.
• Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors often rely on scripting languages to deploy malware and conduct malicious activities.
• Monitor system activity through heuristics-based triggers and alerts, rather than depending solely on indicators of compromise (IoCs) to detect unusual access patterns that could be indicative of malicious behavior by threat actors.

As the APG explained in previous incidents involving NetSupport RAT (12), the NetSupport Manager is a legitimate remote support tool that has been frequently abused by multiple threat actors for malicious activities (11).

NetSupport RAT is a malicious spinoff of the legitimate NetSupport Manager supports multiple features for illicit purposes, including:

• File transfers,
• Remote access to compromised environments,
• Keylogging, and
• Controlling system resources.

Due to the malware’s widespread availability for both malicious and legitimate use cases, the use of NetSupport RAT alone cannot be attributed to a single threat actor. Threat actors of all skill levels abuse the NetSupport tool, even if they lack the necessary technical knowledge or resources needed to use custom malware or tools.

This widespread use of NetSupport RAT leads to a variety of initial access methods; however, social engineering appears to remain a top choice for threat actors to deploy the NetSupport RAT.

The APG predicts that threat actors will very likely continue to use NetSupport RAT for peristence over the next 12 months.

We base this assessment on multiple internal Blackpoint observed attacks – including several publicly reported ones, such as:

• A July 10, 2024, incident with a Technology partner;
• Multiple incidents on June 24 and 26, 2024, with Real Estate, Industrials, and Institutions & Organizations partners; and
• A May 6, 2024, incident with an Industrials partner.

External reporting related to observed use of NetSupport RAT further corroborates the APG’s and Active SOC’s observations.

Of particular note is a May 2024 threat brief from ConnectWise, which included a list of the top five malware observed in the previous month – with NetSupport RAT topping their list (13).

This report and others like it suggest that there is little incentive for threat actors to abandon NetSupport RAT, which is clearly easily accessible and widely effective across a broad range of victim organizations and environments.

Blackpoint’s APG recommends the following actions to help mitigate threat actor use of NetSupport RAT on compromised systems.

• Conduct employee security awareness training, including how to spot a phishing email and how and when to report them to an incident response authority.
• Minimize the use of – or implement strict controls on – the use of scripting languages, including restricting script use by end users who do not need such abilities for their regular duties. Script controls limit a threat actors’ ability to leverage malicious scripts on compromised user profiles and endpoints.
• Use multifactor authentication (MFA) and virtual private networks (VPNs) wherever feasible, to ensure only identified and authorized employees can access sensitive data and resources with an additional level of credential authentication.
• Operate from a zero-trust mentality, which assumes that all requests to each resource is malicious and embodies aggressive and continuous monitoring and management.

1. Flashpoint’s Blog: “The Evolution and Rise of Stealer Malware” by Flashpoint Intel Team on 2024-01-10
2. S2W’s Blog: “Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.)” by Jiho Kim; Sebin Lee on 2024-02-07
3. Fortinet’s Blog: “Exploiting CVE-2024-21412: A Stealer Campaign Unleashed” by Cara Lin on 2024-07-23
4. 
   VirusTotal’s Repository: “139.999.221.140” by VirusTotal on 2024-07-28
5. Microsoft’s Blog: “DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector” by Microsoft Threat Intelligence on 2022-10-25
6. 
   Sophos’s Blog: “Same threats, different ransomware” by Colin Cowie; Morgan Demboski on 2023-11-10
7. Blackpoint Cyber’s Blog: “How Internet Access Brokers Fuel Cybercrime and What You Can Do About It” by Blackpoint Cyber on 2024-03-06
8. IBM’s Report: “Broomstick Analysis Report (IRIS-17079)” by IBM X-Force on 2024-03-21
9. Rapid7’s Blog: “Malvertising Campaign Leads to Execution of Oyster Backdoor” by Rapid7 on 2024-06-17
10. 
    Malwarebytes’s Blog: “Rhysida using Oyster Backdoor to deliver ransomware” by Bill Cozens on 2024-07-24
11. 
    VMware’s Blog: “NetSupport RAT: The RAT King Returns” by Alan Ngo; Abe Schneider; Fae Carlisle on 2023-11-20
12. Blackpoint Cyber’s Blog: “CrowdStrike BSOD Help, Advanced IP Scanner, TeamViewer, NetSupport RAT, & AsyncRAT” by Blackpoint Cyber on 2024-07-19
13. 
    Connectwise’s Blog: “Monthly Threat Brief: May 2024” by Bryson Medlock on 2024-06-24