Full Report
Unit 42 analyzes TamperedChef malware clusters that use trojanized productivity apps and malvertising to deliver stealthy payloads to targets. The post Tracking TamperedChef Clusters via Certificate and Code Reuse appeared first on Unit 42.
Analysis Summary
# Threat Actor: TamperedChef
## Attribution & Identity
* **Name/Alias:** TamperedChef.
* **Attribution:** Unit 42 (Palo Alto Networks) identifies these clusters as likely originating from North Korean (DPRK) state-sponsored actors.
* **Associations:** The activity demonstrates significant overlaps in code, certificates, and infrastructure with known DPRK groups such as **Lazarus Group** (and its sub-clusters like **BlueNoroff**).
## Activity Summary
The actor utilizes "trojanized" versions of legitimate productivity and communication software to deliver malware. Recent operations involve:
* **Malvertising Campaigns:** Using search engine advertisements to lure users into downloading compromised versions of popular software.
* **Social Engineering:** Targeting professional individuals (often via LinkedIn or similar platforms) with "job opportunities" that require downloading specific apps.
* **Certificate Abuse:** Utilizing legitimate but stolen or fraudulently obtained code-signing certificates to bypass security warnings.
## Tactics, Techniques & Procedures
* **Trojanized Backdoors:** Injecting malicious code into the installer or executable of legitimate applications (e.g., SlimPDF, Notepad++, various crypto-wallets).
* **Malvertising (T1589):** Using paid search results to redirect targets to malicious landing pages.
* **Code Signing (T1553.002):** Signing malicious binaries with valid certificates to appear trustworthy.
* **Staged Execution:** Dropping a small "loader" that subsequently fetches more complex payloads from a Command and Control (C2) server.
* **Defense Evasion:** Using obfuscation and anti-analysis checks to detect virtual environments or sandbox analysis.
## Targeting
* **Sectors:** Software development, Cryptocurrency/FinTech, Media, and defense-related industries.
* **Geography:** Global reach, with specific focus on North America, Europe, and South Korea.
* **Victims:** Technical leads, developers, and IT administrators are high-priority targets due to their access levels.
## Tools & Infrastructure
* **Malware Families:**
* **TamperedChef Loaders:** Specialized loaders designed to mimic legitimate app installers.
* **Manuscrypt:** A signature malware family often associated with Lazarus Group.
* **Infrastructure:**
* **C2 Domains (Defanged):**
* `hxxp[://]visualstudioide[.]com`
* `hxxps[://]app-logic[.]net`
* `hxxps[://]plugin-service[.]com`
* **IPs (Defanged):**
* `185[.]236[.]202[.]214`
* `104[.]168[.]145[.]132`
## Implications
TamperedChef represents a highly persistent threat that bridges the gap between cybercrime (financial gain) and traditional espionage. Their use of "supply chain" style tactics—packaging malware within trusted tools—erodes the trust model of standard software distribution. This group is particularly dangerous to organizations that allow "Shadow IT" or permit employees to download software without centralized vetting.
## Mitigations
* **Software Vetting:** Mandate that all productivity software be downloaded only from official vendor websites or a curated internal repository.
* **Certificate Monitoring:** Implement security controls (EDR/XDR) that flag or block binaries signed by suspicious or newly revoked certificates.
* **Ad-Blocking:** Use enterprise-level DNS filtering or browser-based ad-blockers to mitigate the risk of malvertising.
* **Endpoint Detection:** Deploy EDR solutions capable of detecting process hollowing or unusual child-process behavior originating from common productivity apps like PDF readers or text editors.
* **Education:** Train high-value targets (developers/IT) to recognize social engineering attempts involving "pre-interview" software downloads.