A sophisticated global malvertising campaign, dubbed TamperedChef, is actively distributing malware by tricking users into downloading fake software installers. These malicious applications are designed to look legitimate, often masquerading as popular utilities like PDF editors or product manual readers, and are signed with abused digital certificates to bypass security measures and gain user trust. The campaign's ultimate goal is to establish persistence on infected systems and deliver JavaScript-based backdoors for remote access and control.

Key Takeaways

• Deceptive Installers: Threat actors use fake software installers that mimic legitimate applications.

• Abused Digital Certificates: Signed installers with fraudulent certificates are used to increase trust and evade detection.

• Global Reach: The campaign operates globally, with a significant concentration of infections in the U.S.

• Targeted Sectors: Healthcare, construction, and manufacturing are particularly affected.

• Stealthy Payload Delivery: JavaScript malware is deployed to establish remote access and control.

The TamperedChef Attack Chain

The TamperedChef campaign leverages social engineering tactics, including malvertising and search engine optimization (SEO), to lure victims. Users searching for common software or product manuals are directed to malicious websites where they download seemingly functional applications. Once installed, these applications drop an XML configuration file that creates a scheduled task. This task is responsible for executing a heavily obfuscated JavaScript payload, which then establishes communication with command-and-control (C2) servers.

Industrialized Infrastructure and Evasion Tactics

Researchers have noted that the infrastructure behind TamperedChef is "industrialized and business-like." Threat actors utilize a network of U.S.-registered shell companies to acquire and rotate code-signing certificates. This allows them to continuously sign new fake applications with seemingly valid certificates, even as older ones are revoked. The campaign also employs techniques like obfuscating the JavaScript payload and using recognizable domain names for C2 servers to blend in with normal network traffic, making detection more challenging.

Affected Industries and Potential Motives

While the campaign has a global reach, telemetry data indicates a higher concentration of infections in the United States, with other affected countries including Israel, Spain, Germany, India, and Ireland. The healthcare, construction, and manufacturing sectors are identified as the most vulnerable. This is likely due to the frequent online searches for specialized equipment manuals within these industries, a behavior exploited by the campaign. The motives behind TamperedChef are believed to be financial, potentially involving advertising fraud, selling remote access to other cybercriminals, or harvesting and selling sensitive data.

Recommendations for Defense

Security experts advise organizations and individuals to exercise caution when downloading software, especially from search engine results or advertisements. Verifying software sources, maintaining up-to-date security software, and educating users about social engineering tactics are crucial steps in mitigating the risk posed by campaigns like TamperedChef. Digital signatures alone should not be considered a guarantee of legitimacy.

Sources

• TamperedChef Malware Spreads via Fake Software Installers in Ongoing Global Campaign, The Hacker News.

• How TamperedChef uses signed apps to deliver stealthy payloads, Acronis.

• TamperedChef Hacking Campaign Leverages Common Apps to Deliver Payloads and Gain Remote Access, CyberSecurityNews.

• TamperedChef infostealer delivered through fraudulent PDF Editor, BleepingComputer.