Cooking up Trouble: How TamperedChef Uses Signed Apps to Deliver Stealthy Payloads
Summary:
The TamperedChef campaign, tracked by Acronis in their recent blog post, is a global malvertising and SEO operation that distributes malicious installers disguised as common applications. These installers are designed to establish persistence and deliver an obfuscated JavaScript payload for achieving remote access. The operators employ social engineering, malvertising, and SEO to convince victims, and they leverage abused digital certificates to further increase user trust and evade defenses. A key tactical shift observed is the use of a dropped XML file to configure a scheduled task that fetches and executes the JavaScript payload.
TamperedChef is characterized by an industrialized and business-like infrastructure. The threat actors rely on a network of U.S.-registered shell companies (often LLCs) to quickly acquire and rotate short-lived code-signing certificates, maintaining continuous trust exploitation even after prior certificates are revoked. Domain registration is consistently done through NameCheap for one-year periods, often using domain privacy to hide ownership, allowing for rapid infrastructure rebuilding.
Acronis telemetry indicates high activity in the Americas, with victims concentrated in the health care, construction, and manufacturing sectors. This is likely because users in these industries frequently search online for specialized product manuals, a behavior the campaign exploits. The campaign's motivations are likely financially or strategically driven. C2 is established by planting a heavily obfuscated variant of a JavaScript payload backdoor. The threat actors have evolved their tactics, moving from longer-term certificates and random C2 domain names to short-lived, easier-to-replace certificates and legible C2 names by mid-2025, demonstrating an ongoing adaptation of the samples of their fake applications.
Security Officer Comments:
TamperedChef presents a sophisticated, adaptable, and highly operationally mature threat. The campaign’s reliance on rotating U.S.-based shell companies for certificate issuance and short-term domain registration emphasizes their focus on the campaign’s resilience, keeping the malware appearing legitimate even as prior identities are dismantled. Their shift to short-lived certificates and human-readable C2 domains illustrates their commitment to keeping the operation active and ensuring adaptability. Its focus on health care and industrial sectors suggests they actively search for financial incentive driven by the value of credentials, patient data, and the potential for lucrative ransomware events. This operation is a prime example of initial access brokerage infrastructure evolving into a highly industrialized operation.
Suggested Corrections:
Acronis’ Recommendations:
https://www.acronis.com/en/tru/posts/cooking-up-trouble-how-tamperedchef-uses-signed-apps-to-deliver-stealthy-payloads/
The TamperedChef campaign, tracked by Acronis in their recent blog post, is a global malvertising and SEO operation that distributes malicious installers disguised as common applications. These installers are designed to establish persistence and deliver an obfuscated JavaScript payload for achieving remote access. The operators employ social engineering, malvertising, and SEO to convince victims, and they leverage abused digital certificates to further increase user trust and evade defenses. A key tactical shift observed is the use of a dropped XML file to configure a scheduled task that fetches and executes the JavaScript payload.
TamperedChef is characterized by an industrialized and business-like infrastructure. The threat actors rely on a network of U.S.-registered shell companies (often LLCs) to quickly acquire and rotate short-lived code-signing certificates, maintaining continuous trust exploitation even after prior certificates are revoked. Domain registration is consistently done through NameCheap for one-year periods, often using domain privacy to hide ownership, allowing for rapid infrastructure rebuilding.
Acronis telemetry indicates high activity in the Americas, with victims concentrated in the health care, construction, and manufacturing sectors. This is likely because users in these industries frequently search online for specialized product manuals, a behavior the campaign exploits. The campaign's motivations are likely financially or strategically driven. C2 is established by planting a heavily obfuscated variant of a JavaScript payload backdoor. The threat actors have evolved their tactics, moving from longer-term certificates and random C2 domain names to short-lived, easier-to-replace certificates and legible C2 names by mid-2025, demonstrating an ongoing adaptation of the samples of their fake applications.
Security Officer Comments:
TamperedChef presents a sophisticated, adaptable, and highly operationally mature threat. The campaign’s reliance on rotating U.S.-based shell companies for certificate issuance and short-term domain registration emphasizes their focus on the campaign’s resilience, keeping the malware appearing legitimate even as prior identities are dismantled. Their shift to short-lived certificates and human-readable C2 domains illustrates their commitment to keeping the operation active and ensuring adaptability. Its focus on health care and industrial sectors suggests they actively search for financial incentive driven by the value of credentials, patient data, and the potential for lucrative ransomware events. This operation is a prime example of initial access brokerage infrastructure evolving into a highly industrialized operation.
Suggested Corrections:
Acronis’ Recommendations:
- Integrate MDR or 24/7 threat monitoring: MDR services provide continuous monitoring, threat hunting and incident response support across all managed tenants. Shared telemetry (EDR + MDR) improves early detection of anomalous script execution, persistence mechanisms and certificate abuse.
- Restrict installation rights and only distribute software that has been internally vetted or sourced directly from known vendors.
- Maintain up-to-date systems and protections: Ensure endpoints have the latest OS patches and that antivirus definitions are up to date.
- Educate end users: Provide training to identify malvertising and fake download pages, emphasizing that installers should only be obtained from verified vendor sources.
https://www.acronis.com/en/tru/posts/cooking-up-trouble-how-tamperedchef-uses-signed-apps-to-deliver-stealthy-payloads/