TamperedChef recipe: info-stealing fake PDF editors and undigested meals
- Javier Conejo del Cerro
- hace 54 minutos
- 4 Min. de lectura
The campaign distributing TamperedChef demonstrates how cybercriminals are industrializing malware delivery. Using Google Ads malvertising, fraudulent websites, and trojanized productivity tools, they lure victims into installing what appears to be a harmless PDF editor. For weeks, the software behaves normally, but once activated, it transforms into a powerful information stealer and backdoor. Unlike traditional malware that immediately deploys, TamperedChef takes advantage of delayed activation, maximizing reach before “poisoning the meal.” The result: widespread theft of credentials, cookies, and browser data from unsuspecting users.
Phase 1: Delivery via Malvertising
The first stage is all about scale and deception.
Google Ads bait: Threat actors launch multiple sponsored ad campaigns on Google, targeting common searches like “free PDF editor” or “download PDF tools.” Because ads often appear above legitimate results, users are more likely to click.
Fraudulent websites: These ads redirect to counterfeit domains promoting AppSuite PDF Editor and similar names (e.g., PDF OneStart). The sites mimic real software portals, complete with polished branding.
Trojanized installer: The download is an installer wrapped with a seemingly benign program. It even prompts the victim to agree to terms of service and a privacy policy, reinforcing legitimacy.
Silent requests: Behind the scenes, the installer makes covert connections to attacker-controlled servers, preparing the ground for persistence and delayed malicious activation.
Why it works: By leveraging trusted ad ecosystems, attackers exploit user confidence in both Google Ads and familiar productivity software categories. This widens their pool of victims far beyond targeted phishing.
Phase 2: Execution & Persistence
Once downloaded, the installer sets the trap.
Registry persistence: TamperedChef modifies the Windows Registry, creating autorun entries that ensure the malware survives reboots.
Scheduled tasks: Two tasks, PDFEditorScheduledTask and PDFEditorUScheduledTask, are created to run with hidden arguments like --partialupdate or --fullupdate. These are designed to maintain silent callbacks with the command-and-control server.
Staged deployment: For nearly two months, the PDF editor behaves normally, offering real editing functionality. This deliberate delay is strategic: it evades early suspicion and maximizes installations before going live.
Delayed activation: Only after the ad campaign nears its end do infected machines receive new .js configuration files with malicious instructions, “switching on” the stealer.
This staged approach shows patience and planning—waiting until the campaign had a broad installed base before activating malicious features.
Phase 3: Theft & Backdoor Activation
When activated, TamperedChef reveals its full arsenal.
Browser termination: The malware shuts down browsers to unlock stored session data.
Data theft: It collects:
Credentials (usernames and passwords saved in browsers).
Cookies (session tokens enabling account hijacking without passwords).
Browsing history (valuable for profiling victims).
Security product information (to adapt and evade defenses).
Targets: It focuses on Chromium-based browsers, OneLaunch, and Wave, all common among casual users.
Backdoor functions: TamperedChef acts as more than a stealer—it is also a remote-controlled implant. With arguments like:
--check: Queries the system, reads browser keys, and manipulates data.
--ping: Connects with the C2 server for updated commands.
--reboot: Combines system control with process-killing.
Flexible control: These functions allow attackers not only to exfiltrate data but also to download additional malware, manipulate browser settings (e.g., force malicious search engines), and execute arbitrary commands.
Unlike a simple info-stealer, TamperedChef is modular and adaptive, capable of shifting from credential theft to broader compromise depending on attacker needs.
Phase 4: Victims on the Menu
TamperedChef’s victims are not corporate IT admins or diplomats—they are ordinary Windows users, which makes the campaign especially dangerous.
User profile: Students downloading free tools for assignments, small business employees looking for PDF editors, freelancers, and even professionals seeking productivity shortcuts.
Why vulnerable:
They often lack enterprise-grade security protections (EDR, monitoring).
They rely heavily on web browsers to store credentials and cookies, making their data highly valuable.
Their trust in online ads and the appeal of “free software” exposes them to malvertising traps.
Impact:
Stolen cookies and credentials allow attackers to bypass MFA and hijack accounts.
Compromised sessions can give access to email, banking, and corporate portals.
With persistence and C2 control, victim machines may be repurposed into residential proxies or used to spread further malware.
In short, TamperedChef targets the everyday digital habits of normal users, weaponizing their search for convenience into a gateway for exploitation.
Phase 5: The Bigger Picture
TamperedChef isn’t just another stealer—it reflects broader cybercrime trends:
Malvertising scale: Using legitimate ad networks to distribute malware massively.
Staged campaigns: Malware that lies dormant before activating malicious features.
Modularity: Blurring lines between stealers, backdoors, and trojans.
Commodity tools: Turning simple utilities like PDF editors into Trojan horses for data theft.
Measures to fend off
Avoid ad-driven downloads: Only get software from official vendor websites or trusted repositories.
Monitor autoruns: Check for suspicious Registry keys and tasks like PDFEditorScheduledTask.
Detect staged behavior: Hunt for benign-looking programs that make unusual C2 callbacks after installation.
Block malicious domains: Use DNS filtering to prevent connections to attacker infrastructure.
EDR deployment: Detect browser process kills, infostealer signatures, and persistence mechanisms.
Credential hygiene: Don’t store passwords in browsers; use password managers and enforce MFA.
Awareness training: Educate users on malvertising risks and the dangers of “free” productivity tools.
Incident readiness: If infected, isolate the machine, remove Registry persistence, rotate credentials, and audit for secondary malware.
Comentarios