Threat actors are leveraging bogus installers masquerading as popular software to trick users into installing malware as part of a global malvertising campaign dubbed TamperedChef.
The end goal of the attacks is to establish persistence and deliver JavaScript malware that facilitates remote access and control, per a new report from Acronis Threat Research Unit (TRU). The campaign, per the Singapore-headquartered company, is still ongoing, with new artifacts being detected and associated infrastructure remaining active.
“The operator(s) rely on social engineering by using everyday application names, malvertising, Search Engine Optimization (SEO), and abused digital certificates that aim to increase user trust and evade security detection,” researchers Darrel Virtusio and Jozsef Gegeny said.
TamperedChef is the name assigned to a long-running campaign that has leveraged seemingly legitimate installers for various utilities to distribute an information stealer malware of the same name. It’s assessed to be part of a broader set of attacks codenamed EvilAI that uses lures related to artificial intelligence (AI) tools and software for malware propagation.
To lend these counterfeit apps a veneer of legitimacy, the attackers use code-signing certificates issued for shell companies registered in the U.S., Panama, and Malaysia to sign them, and acquire new ones under a different company name as older certificates are revoked.
Acronis described the infrastructure as “industrialized and business-like,” effectively allowing the operators to steadily churn out new certificates and exploit the inherent trust associated with signed applications to disguise the malicious software as legitimate.
It’s worth noting at this stage that the malware tracked as TamperedChef by Truesec and G DATA is also referred to as BaoLoader by Expel, and is different from the original TamperedChef malware that was embedded within a malicious recipe application distributed as part of the EvilAI campaign.
Acronis told The Hacker News that it’s using TamperedChef to refer to the malware family, since it has already been widely adopted by the cybersecurity community. “This helps avoid confusion and stay consistent with existing publications and detection names used by other vendors, which also refer to the malware family as TamperedChef,” it said.
A typical attack plays out as follows: Users who search for PDF editors or product manuals on search engines like Bing are served malicious ads or poisoned URLs, when clicked, take users to booby-trapped domains registered on NameCheap that deceive them into downloading the installers.
Once executing the installer, users are prompted to agree to the program’s licensing terms. It then launches a new browser tab to display a thank you message as soon as the installation is complete in order to keep up the ruse. However, in the background, an XML file is dropped to create a scheduled task that’s designed to launch an obfuscated JavaScript backdoor.
The backdoor, in turn, connects to an external server and sends basic information, such as session ID, machine ID, and other metadata in the form of a JSON string that’s encrypted and Base64-encoded over HTTPS.
That being said, the end goals of the campaign remain nebulous. Some iterations have been found to facilitate advertising fraud, indicating their financial motives. It’s also possible that the threat actors are looking to monetize their access to other cybercriminals, or harvest sensitive data and sell it in underground forums to enable fraud.
Telemetry data shows that a significant concentration of infections has been identified in the U.S., and to a lesser extent in Israel, Spain, Germany, India, and Ireland. Healthcare, construction, and manufacturing are the most affected sectors.
“These industries appear especially vulnerable to this type of campaign, likely due to their reliance on highly specialized and technical equipment, which often prompts users to search online for product manuals – one of the behaviors exploited by the TamperedChef campaign,” the researchers noted.
