In recent weeks, cybersecurity experts have identified a significant increase in malvertising campaigns distributing a deceptive application known as TamperedChef. This malware poses as a legitimate PDF editing tool, AppSuite PDF Editor, and employs persuasive advertisements to entice individuals and organizations across Europe into downloading its installer.
Deceptive Installation Process
Upon execution, the TamperedChef installer presents itself as a fully functional PDF editor, maintaining this facade for nearly two months. During installation, users encounter a professional end-user license agreement (EULA) dialogue, consistent with those found in mainstream software. This multilingual EULA enhances the illusion of legitimacy and effectively bypasses automated sandbox detections.
By clicking “Accept and Install,” the MSI package proceeds without requiring administrative privileges, making it particularly effective in corporate environments where user rights are often restricted.
Discovery and Analysis
Analysts at WithSecure Labs identified TamperedChef following a sudden spike in credential theft incidents within enterprise environments. Telemetry data revealed that, upon activation, the malware’s concealed payload systematically harvests usernames and passwords stored in browsers. This exfiltration occurs silently, with the stolen credentials transmitted to attacker-controlled infrastructure, facilitating backdoor access and potential lateral movement within affected networks.
Once the malicious payload embedded within `pdfeditor.js` activates, the application transitions from a benign editor to a stealthy credential harvester.
Technical Mechanisms
The attack is orchestrated using a custom NodeJS module—Utilityaddon.node—which interacts with native Windows APIs to manipulate registry entries and scheduled tasks for persistence. By inserting autorun registry keys under the current user hive, the malware ensures execution at each logon without elevating privileges.
Infection Mechanism
The infection begins when a user clicks a malicious advertisement and downloads the AppSuite PDF Editor installer from vault.appsuites.ai. This installer, created with the Nullsoft Scriptable Install System (NSIS), unpacks the Electron-based application under the user’s profile directory.
The primary executable, PDF Editor.exe, launches a Chromium-based interface that loads additional JavaScript modules from remote servers. Before any PDF editing functionality is available, the installer sets persistence via an autorun registry entry named `PDFEditorAutoUp` that points to the installed application.
At runtime, the obfuscated `pdfeditor.js` script checks for command-line switches, notably `–cm`, which triggers malicious routines:
“`javascript
if (app.commandLine.hasSwitch(‘cm’)) {
utilityAddon.setupTasks(globals.scheduledTaskName);
startCredentialHarvest();
}
“`
By using command-line flags, the threat actors can toggle between benign and malicious behaviors, complicating detection.
Once the script executes `startCredentialHarvest()`, it scans local browser storage for credentials and dispatches them over HTTPS to attacker-controlled endpoints, while the visible PDF editor interface remains functional to avoid arousing suspicion.
Broader Implications
The TamperedChef campaign underscores the evolving sophistication of cyber threats, particularly those leveraging trusted software categories to deploy malware. By disguising malicious software as legitimate productivity tools, attackers can achieve widespread distribution and prolonged persistence before revealing their true intent.
This campaign also highlights the effectiveness of malvertising—using online advertisements to distribute malware. By promoting the fake PDF editor through convincing ads, the attackers increase the likelihood of users downloading and installing the malicious software.
Recommendations for Mitigation
To protect against threats like TamperedChef, individuals and organizations should consider the following measures:
1. Verify Software Sources: Always download software from official and reputable sources. Be cautious of applications promoted through unsolicited advertisements.
2. Implement Application Whitelisting: Restrict the execution of unauthorized applications by maintaining a whitelist of approved software.
3. Regularly Update Security Software: Ensure that antivirus and anti-malware solutions are up to date to detect and prevent the latest threats.
4. Educate Users: Provide training on recognizing phishing attempts and the risks associated with downloading software from untrusted sources.
5. Monitor Network Traffic: Implement network monitoring to detect unusual data exfiltration activities that may indicate a compromise.
By adopting these practices, organizations can enhance their defenses against sophisticated malware campaigns like TamperedChef.
