A long-running malvertising campaign is dropping backdoor malware onto the networks of organizations around the world through trojanized PDF documents.
Dubbed TamperedChef, the malvertising campaign has previously been identified, but researchers at Sophos have detailed how targeting has become widespread across Europe: organizations in Germany, the UK and France being the most common victims.
The campaign has infected organizations across a range of industries, but researchers noted how it has often hit organizations which rely heavily on specialized technical equipment, ones in which users are likely to commonly refer to – and search for – instruction manuals.
It is this behaviour which TamperedChef is exploiting to infect organizations with infostealers, with a focus on credential theft and backdoor access to networks.
The campaign has been designed to avoid detection, with delays to the malware being deployed to ensure persistence on networks.
This large, multi-layered distribution network featured multiple advanced tactics, including a delayed activation/dormancy period, decoy software, staged payload delivery, staged payload delivery, abuse of code-signing certificates, and efforts to evade endpoint protection mechanisms,” said Sophos.
TamperedChef Attack Chain in Detail
The attack chain starts when someone uses a search engine to look for something, particularly a query relating to appliance manuals or PDF editing software.
As part of the campaign, the attackers have created malicious adverts which appear at the top of related search results, either via SEO, paid promotion or both. The aim is simple: if the advert is at the top of the page and looks like it contains what the user is looking for, they’ll click on it.
These adverts direct the use to malicious sites which prompt the users to download files – under the pretence of the document that they’re searching for is what they’re downloading. It’s this which leads to being infected with the infostealer.
“Upon execution, the infostealer harvests browser-stored data, establishes a connection to a command-and-control (C2) server for data exfiltration, and retrieves an additional payload and retrieves an additional payload named ManualFinderApp.exe. This file is a trojanized application that functions as an infostealer and a backdoor,” said Sophos.
However, to avoid detection – and user suspicion – the malicious behaviour doesn’t begin until 56 days after the download.
“The threat actors behind the TamperedChef campaign crafted convincing malicious applications, leveraged targeted advertising to achieve large-scale distribution,” said Sophos.
To help avoid falling victim to malvertising campaigns like TamperedChef, Sophos recommended that users avoid clicking installation links or pop-ups in online adverts but instead rely on official sites to download the required documents.
For organizations, it is recommended that information security teams apply appropriate controls to ensure that files and software can only be downloaded from approved and trusted sources.
Multi-factor authentication should also be applied to accounts to help protect them from being actively compromised, even in the event of passwords being stolen.
