Threat actors are using fake installers disguised as popular software to trick users into installing malware as part of a global malvertising campaign called TamperedChef.
The ultimate goal of the attack is to establish persistence and deliver JavaScript malware that facilitates remote access and control, according to a new report from Acronis Threat Research Unit (TRU). The Singapore-based company said the campaign is ongoing, new artifacts have been detected, and associated infrastructure remains active.
“Operators rely on social engineering using everyday application names, malvertising, search engine optimization (SEO), and the abuse of digital certificates aimed at increasing user trust and evading security detection,” researchers Darrell Virtusio and Joseph Gegeny said.
TamperedChef is the name assigned to a long-running campaign that leverages seemingly legitimate installers of various utilities to distribute information-stealing malware of the same name. This is assessed to be part of a broader attack set codenamed ‘EvilAI’ that uses decoys related to artificial intelligence (AI) tools and software to propagate malware.
To give these counterfeit apps the appearance of legitimacy, attackers sign them using code-signing certificates issued to shell companies registered in the United States, Panama, and Malaysia, and obtain new certificates with different company names when the old certificates expire.
Acronis described this infrastructure as “industrialized and business-like,” effectively allowing operators to steadily churn out new certificates and exploit the inherent trust associated with signed applications to disguise malicious software as legitimate.
It is worth noting at this point that the malware tracked by Truesec and G DATA as TamperedChef, also called BaoLoader by Expel, is different from the original TamperedChef malware that was embedded within a malicious recipe application distributed as part of the EvilAI campaign.
Acronis told Hacker News that it uses TamperedChef to refer to the malware family because it has already been widely adopted by the cybersecurity community. “This avoids confusion and maintains consistency with existing publications and detection names used by other vendors, who also refer to the malware family as TamperedChef,” the company said.
A typical attack unfolds as follows. Users searching for PDF editors or product manuals on search engines like Bing are shown malicious ads or harmful URLs that, when clicked, redirect users to booby-trapped domains registered with NameCheap and trick them into downloading the installer.
After running the installer, the user is asked to accept the program’s license terms. Then, as soon as the installation is complete, it launches a new browser tab and displays a thank you message to continue its ruse. However, in the background, it drops an XML file and creates a scheduled task designed to launch an obfuscated JavaScript backdoor.
The backdoor then connects to an external server and sends basic information such as session ID, machine ID, and other metadata in the form of an encrypted and Base64-encoded JSON string over HTTPS.
That said, the campaign’s ultimate goal remains vague. Some repeat actions have been found to facilitate advertising fraud, indicating a financial motive. The attacker may also be looking to monetize access to other cybercriminals or collect sensitive data to sell on underground forums to enable fraud.
Telemetry data shows a significant concentration of infections in the United States, and to a lesser extent in Israel, Spain, Germany, India, and Ireland. The health care, construction and manufacturing industries will be most affected.
“These industries appear to be particularly vulnerable to this type of campaign, perhaps because they rely on highly specialized and technical equipment. As such, users often search online for product manuals, which is one of the behaviors that the TamperedChef campaign exploits,” the researchers noted.
Source link
