Researchers at Acronis Threat Research Unit (TRU) said threat actors are distributing bogus installers that masquerade as popular utilities in a global malvertising campaign, with the stated aim of establishing persistence and delivering JavaScript malware for remote access and control.
Acronis researchers said the operators rely on social engineering techniques including poisoned search results, malicious advertisements, Search Engine Optimization (SEO) and the misuse of code-signing certificates to increase user trust and evade detection, a tactic noted by researchers Darrel Virtusio and Jozsef Gegeny.
The report describes the operators using certificates issued to shell companies registered in the U.S., Panama and Malaysia and obtaining replacement certificates under new company names when older ones are revoked, a process Acronis characterised as “industrialized and business-like” in allowing continued distribution of signed malicious installers.
A typical infection chain documented by Acronis begins when users searching for PDF editors or product manuals are served malicious ads or poisoned URLs that redirect to booby-trapped domains. After a user runs a counterfeit installer and accepts licensing prompts, the installer opens a thank-you page while dropping an XML file that creates a scheduled task to launch an obfuscated JavaScript backdoor.
The backdoor reportedly connects to external servers and transmits basic system metadata such as session and machine identifiers as an encrypted, Base64-encoded JSON string over HTTPS. Acronis also noted that the family tracked as TamperedChef by some vendors is referred to as BaoLoader by others and differs from an earlier malware sample also called TamperedChef.
Telemetry cited by Acronis shows a concentration of infections in the United States, with smaller volumes in Israel, Spain, Germany, India and Ireland, and the most affected sectors identified as healthcare, construction and manufacturing. The report said some campaign iterations facilitate advertising fraud, but that the operators’ wider motives remain unclear and may include monetizing access or selling harvested data.