A global malvertising campaign, dubbed TamperedChef, is actively leveraging bogus installers that impersonate popular software to trick users into installing malware. The goal of these attacks is to establish persistence and deploy JavaScript malware that facilitates remote access and control.
Industrialized Social Engineering
The operators behind TamperedChef rely heavily on social engineering, malvertising, and Search Engine Optimization (SEO) to lure victims. They use the names of everyday applications and product manuals to catch users searching on engines like Bing. Malicious ads
or poisoned URLs direct users to booby trapped domains registered on platforms like NameCheap, deceiving them into downloading counterfeit installers.
To give these fake applications a veneer of legitimacy, the threat actors use abused digital certificates issued to shell companies registered across the globe. As older certificates are revoked, the operators quickly acquire new ones under different company names. Acronis Threat Research Unit (TRU) described the infrastructure as "industrialized," designed to continuously churn out new certificates and exploit the inherent trust associated with signed applications.
Infection Chain and Payloads
A typical attack begins when a user searches for software, such as a PDF editor. Clicking a malicious ad leads them to a deceptive site. Upon executing the installer, the user is prompted to agree to licensing terms, and a "thank you" message is displayed in a new browser tab to maintain the ruse.
In the background, an XML file is dropped to create a scheduled task. This task is designed to launch an obfuscated JavaScript backdoor. The backdoor connects to an external server and sends basic machine metadata, encrypted and Base64 encoded over HTTPS.
While the campaign's ultimate goal remains unclear, researchers suggest it may involve facilitating advertising fraud, harvesting sensitive data for underground sale, or monetizing access to other cybercriminals.
Telemetry data shows a significant concentration of infections in the U.S., Israel, Spain, Germany, India, and Ireland. Healthcare, construction, and manufacturing are the most affected sectors, likely due to their reliance on highly specialized equipment, which prompts employees to search online for product manuals a behavior exploited by the TamperedChef campaign.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
