Fast Facts

• The TamperedChef malware spreads through counterfeit installers for popular apps.
• Attackers use fake code-signing certificates from shell companies to make malware look legitimate.
• The campaign is ongoing, with infections reported globally, especially in the US.
• Industries like healthcare, construction, and manufacturing are particularly targeted.
• Victims are often lured via poisoned ads and search results for technical manuals and software.

The Setup: Trust as a Weapon

Imagine downloading what looks like a reputable PDF editor or a must-have manual for a specialized machine. The installer even bears a digital signature - an electronic stamp of approval. But beneath this glossy surface, you’re unwittingly opening a backdoor for cybercriminals. This is the essence of the TamperedChef campaign, a slick global operation that blends technical cunning with psychological manipulation.

According to Acronis Threat Research Unit, TamperedChef is not just a single strain of malware, but the centerpiece of a sprawling campaign. Its operators use malvertising - ads that hide malicious intent - and search engine tricks to steer victims to poisoned websites. The twist: the malware is disguised as everyday software, often signed with certificates from companies that exist only on paper, registered in far-flung places like Panama or Malaysia.

The Playbook: Old Tricks, New Tech

TamperedChef’s approach isn’t new, but it’s worryingly effective. By exploiting the trust users place in signed software, attackers bypass many security gates. Once an installer is launched, it runs a seemingly harmless setup, even displaying a thank-you message. Meanwhile, in the background, a hidden script sets up a scheduled task - like a burglar making a spare key - so the attackers can return whenever they want.

The malware then quietly sends encrypted details about its new host - session and machine IDs - back to the attackers. Sometimes, the compromised machines are used for ad fraud, generating fake clicks for revenue. Other times, the access is sold on cybercrime forums, or sensitive data is harvested for further exploitation.

This strategy echoes past campaigns like the infamous SolarWinds breach, where attackers also abused trusted software channels. It’s a reminder that, in cybersecurity, trust is both a necessity and a vulnerability.

Global Reach, Local Impact

While infections have been spotted worldwide, the United States leads in reported cases, with significant activity in Israel, Spain, Germany, India, and Ireland. Industries that rely on specialized equipment - healthcare, construction, manufacturing - are especially vulnerable, as their staff frequently search online for manuals or updates, making them prime targets for these digital wolves.

The campaign’s infrastructure is described as “industrialized and business-like,” able to churn out new fake certificates as needed. This adaptability, combined with clever lures referencing artificial intelligence tools (hence the codename EvilAI), suggests a well-funded and persistent adversary.

WIKICROOK

• Malvertising: Malvertising is the use of online ads to spread malware, often by tricking users into clicking harmful links - even on trusted websites.
• Code: Code is a set of instructions written for computers. In cybersecurity, analyzing code helps detect unauthorized or suspicious software, including hidden threats.
• Backdoor: A backdoor is a hidden way to access a computer or server, bypassing normal security checks, often used by attackers to gain secret control.
• Obfuscated JavaScript: Obfuscated JavaScript is code deliberately scrambled to hide its true purpose, making it hard for humans and security tools to analyze or detect threats.
• Information stealer: An Information Stealer is malware that secretly collects personal data, like passwords or financial info, and sends it to cybercriminals.