Hackers are distributing a fake PDF Editor loaded with TamperedChef credential stealing malware

News
By published

Be careful when searching for PDF editors

Representational image of a cybercriminal
Image Credit: Pixabay (Image credit: Pixabay)
  • At least five Google ads campaigns were running, promoting spoofed software
  • Someone trojanized different PDF editors to deliver infostealers
  • Defenders are warning about the TamperedChef infostealing malware

Be careful when downloading a program called “AppSuite PDF Editor” - there are poisoned variants circulating around the web.

In late June, security researchers Truesec saw multiple websites, all spoofing the program, being published. At the same time, at least five different Google ads campaigns were set up to promote the websites.

Therefore, whoever searched for ‘AppSuite PDF Editor’ could have ended up on one of the many sites that were serving a trojanized version of the app. Those that downloaded it would get the usual installation process and user license agreements prompts in the foreground, while in the background, an infostealer and backdoor called TamperedChef was being deployed.

PDF Editors loaded with malware

What makes this malware particularly sinister is the deceptive delay with which it operates. It will wait for approximately 56 days before activating, most likely to give threat actors enough time to distribute the infostealer to as many victims as possible, before being spotted by the defenders.

"The length from the start of the [ad] campaign until the malicious update was also 56 days, which is close to the 60-day length of a typical Google advertising campaign, suggesting the threat actor let the ad campaign run its course, maximizing downloads, before activating the malicious features," Truesec said.

In the meantime, it will achieve persistence via Windows Registry modifications, and will create different scheduled tasks. Once activated, TamperedChef can collect browser credentials, session cookies, and other sensitive data, mostly by terminating browser processes and exploiting Windows Data Protection API (DPAPI).

It also performs system reconnaissance to detect which antivirus or malware protection tools the victim is running, and can function as a backdoor to deploy additional malware.

AppSuite is not the only PDF editor being spoofed in this campaign, either. PDF OneStart, and PDF Editor, have all been observed abused in the same (or adjacent) campaign.

Via The Hacker News

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.