TamperedChef malware is spreading globally through fake software installers in an ongoing attack campaign.
TamperedChef Malware Spreads through Fraudulent Software Installers in an Ongoing Worldwide Campaign
As part of a global malvertising campaign known as TamperedChef, threat actors are using phony installers that pose as well-known software to fool users into installing malware.
According to a recent analysis from the Acronis Threat Research Unit (TRU), the attacks’ ultimate objective is to create persistence and distribute JavaScript malware that enables remote access and control. According to the Singapore-based corporation, the campaign is still in progress, with fresh artifacts being found and related infrastructure continuing to function.
“The operator(s) rely on social engineering by using everyday application names, malvertising, Search Engine Optimization (SEO), and abused digital certificates that aim to increase user trust and evade security detection,” claimed researchers Darrel Virtusio and Jozsef
A long-running effort known as “TamperedChef” has used installers for several utilities that appear to be genuine to spread the same-named information-stealing malware. It is thought to be a component of a larger group of attacks known as EvilAI, which employs lures associated with software and artificial intelligence (AI) capabilities to spread malware.
The attackers employ code-signing certificates produced for shell firms registered in the U.S., Panama, and Malaysia to sign these fake apps, giving them a false sense of legitimacy. As older certificates are revoked, they obtain new ones under a different company name.
According to Acronis, the infrastructure is “industrialized and business-like,” which enables the operators to continuously produce new certificates and take advantage of the trust that comes with certified programs to pass off harmful software as authentic.
At this point, it’s important to note that the malware tracked as TamperedChef by Truesec and G DATA is also known as BaoLoader by Expel. This is distinct from the original TamperedChef malware, which was distributed as part of the EvilAI campaign and contained within a malicious recipe application.
Because TamperedChef has already gained widespread acceptance in the cybersecurity community, Acronis told The Hacker News that it uses it to refer to the malware family. “This helps avoid confusion and stay consistent with existing publications and detection names used by other vendors, which also refer to the malware family as TamperedChef,” said the company.
A typical attack looks like this: When customers use search engines like Bing to look for PDF editors or product manuals, they are presented with malicious advertisements or poisoned URLs that, when clicked, lead to NameCheap-registered booby-trapped domains that trick users into downloading the installers.
Users are asked to accept the program’s licensing conditions after running the installation. In order to maintain the illusion, it then opens a new browser tab to show a thank-you message as soon as the installation is finished. On the other hand, a scheduled job that is intended to initiate an obfuscated JavaScript backdoor is created in the background by dropping an XML file.
In response, the backdoor establishes a connection with an external server and transmits a JSON string that is encrypted and Base64-encoded over HTTPS, containing basic data like session ID, machine ID, and other metadata.
Nevertheless, the campaign’s ultimate objectives are still unclear. It has been discovered that some variations enable advertising fraud, demonstrating their financial motivations. The threat actors may also be trying to make money off of their connection to other cybercriminals, or they may be gathering private information and selling it in underground marketplaces to facilitate fraud.
According to telemetry data, the United States has been found to have a high concentration of illnesses, with smaller concentrations seen in Israel, Spain, Germany, India, and Ireland. The industries most impacted include manufacturing, construction, and healthcare.
“These industries appear especially vulnerable to this type of campaign, likely due to their reliance on highly specialized and technical equipment, which often prompts users to search online for product manuals – one of the behaviors exploited by the TamperedChef campaign,” the investigators wrote.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
Imported Forensics Mafia: India’s Domestic Technology is Being Killed by Bribery & False Labels
About Author
English