Full Report
Threat actors are leveraging bogus installers masquerading as popular software to trick users into installing malware as part of a global malvertising campaign dubbed TamperedChef. The end goal of the attacks is to establish persistence and deliver JavaScript malware that facilitates remote access and control, per a new report from Acronis Threat Research Unit (TRU). The campaign, per the
Analysis Summary
# Tool/Technique: TamperedChef (Malware Family/Campaign)
## Overview
TamperedChef is the name assigned to a global, ongoing malvertising campaign that distributes malware by tricking users into downloading bogus installers masquerading as popular software (like PDF editors or product manuals). The primary goal is to establish persistence and deliver a JavaScript backdoor facilitating remote access and control. This campaign is assessed to be part of the broader EvilAI set of attacks.
## Technical Details
- Type: Malware Family / Campaign (Distributes JavaScript Malware)
- Platform: Not explicitly stated, but execution of a Windows installer suggests Windows targets primarily.
- Capabilities: Initial infection via droppers/installers, establishment of persistence via scheduled tasks, delivery of obfuscated JavaScript backdoor, remote communication (C2).
- First Seen: In the context of the article, it is an ongoing campaign leveraging recent activity/reports.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.002 - Spearphishing Link (via malvertising/poisoned URLs)
- **TA0003 - Persistence**
- T1053 - Scheduled Task/Job
- T1053.005 - Scheduled Task
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (HTTPS communication)
## Functionality
### Core Capabilities
- **Malvertising/SEO Lures:** Exploiting search engine results (Bing) and malvertising to direct users to malicious domains (registered on NameCheap).
- **Installer Deception:** Distributing malicious files disguised as legitimate software installers.
- **Persistence Setup:** Dropping an XML file to create a Windows Scheduled Task to launch the payload.
- **Payload Delivery:** Launching an obfuscated JavaScript backdoor upon persistence activation.
### Advanced Features
- **Code Signing Abuse:** Utilizing code-signing certificates issued to shell companies in the U.S., Panama, and Malaysia for digitally signing counterfeit applications to increase user trust and evade detection.
- **Encrypted C2 Communication:** The JavaScript backdoor encrypts and Base64-encodes session ID, machine ID, and metadata within a JSON string before sending it over HTTPS to an external server.
- **Association with EvilAI:** Integrated into a broader set of attacks leveraging lures related to Artificial Intelligence (AI) tools.
## Indicators of Compromise
*Note: Specific IoCs were not detailed in the provided excerpt, but the methodology suggests the following areas of interest:*
- File Hashes: [Not provided in excerpt]
- File Names: Bogus installers masquerading as PDF editors or product manuals.
- Registry Keys: Expected to involve keys related to Scheduled Tasks creation (e.g., `HKCU\Software\Microsoft\Windows\CurrentVersion\Windows Tasks` or WMI event subscriptions).
- Network Indicators: HTTPS communication delivering encrypted JSON strings containing session/machine metadata. C2 domains hosted on NameCheap infrastructure identified previously.
- Behavioral Indicators: Creation of scheduled tasks that execute obfuscated JavaScript; post-execution launch of a new, spurious browser tab ("thank you message").
## Associated Threat Actors
- Threat actors operating the "TamperedChef" global malvertising campaign.
- Assessed to be part of the broader **EvilAI** operation.
- Note: The malware family name TamperedChef is also tracked by Truesec and G DATA, while Expel refers to a similar variant as **BaoLoader**.
## Detection Methods
- **Signature-based detection:** Detection of known malicious installer filenames or specific digital certificate issuers/names associated with shell corporations.
- **Behavioral detection:** Monitoring for the creation of new scheduled tasks that execute obfuscated JavaScript payloads, especially following the installation of seemingly benign software. Monitoring for outbound HTTPS traffic carrying encrypted/Base64-encoded JSON data originating from a newly established persistence mechanism.
- **YARA rules:** Could be developed targeting the structure or obfuscation techniques within the dropped JavaScript payload.
## Mitigation Strategies
- **Prevention:** Blocking malvertising domains and known malicious infrastructure (if provided by threat intelligence). Deploying robust network filtering.
- **Hardening Recommendations:** Educating users regarding software installation sources, verifying digital signatures, and practicing extreme skepticism towards search engine advertisements that promise immediate utility software downloads. Disabling or limiting PowerShell/script execution capabilities where possible.
## Related Tools/Techniques
- **BaoLoader:** Malware tracked by Expel, believed to be related or an iteration of the same underlying threat family leveraged by different researchers.
- **EvilAI:** The broader campaign umbrella under which TamperedChef operates, utilizing AI-related lures.