Tracking TamperedChef Clusters via Certificate and Code Reuse

What Happened

Cybercriminals are distributing fake productivity apps, like PDF editors and zip extractors, through malicious online advertisements. Once installed, these apps wait quietly for weeks before secretly downloading harmful software that can steal passwords or take control of the computer. Anyone downloading free utility software from search engine ads is at risk. Organizations should ensure their security tools are up to date and educate employees about the dangers of downloading unverified software from the internet.

Key Takeaways

• TamperedChef (aka EvilAI) distributes trojanized productivity software via malvertising to deliver infostealers, RATs, and adware.
• Threat actors heavily abuse legitimate code-signing certificates, often creating shell companies to procure them and bypass security warnings.
• The malware employs delayed execution, remaining dormant for weeks or months before fetching second-stage payloads.
• Three distinct clusters (CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110) have been identified, with over 4,000 samples tracked across 100 variants.

Affected Systems

• Windows endpoints
• Web browsers (targeted for credential theft and hijacking)

Attack Chain

Victims are lured via malvertising to download seemingly legitimate productivity applications. The downloaded binaries are signed with valid certificates to bypass initial security warnings and establish persistence using scheduled tasks or registry Run keys. The malware remains dormant for weeks to evade sandbox detection before reaching out to a C2 server. Finally, it downloads and executes a second-stage payload, which typically consists of an information stealer, RAT, or browser hijacker.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules, relying instead on behavioral indicators and file hashes.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can detect the creation of scheduled tasks, registry run keys, and the delayed execution of secondary payloads from productivity applications. Network Visibility: Medium — Network visibility can identify connections to known malicious domains or unexpected C2 traffic from productivity apps, though the traffic may blend in with legitimate API calls. Detection Difficulty: Moderate — The use of valid code-signing certificates and extended dormancy periods makes initial detection challenging, but the eventual persistence mechanisms and second-stage downloads are highly detectable.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• Registry Events (Sysmon 12, 13, 14)
• Scheduled Task Creation (Event ID 4698)
• DNS Queries (Sysmon 22)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for productivity applications (e.g., PDF editors, calendar apps) creating scheduled tasks or registry Run keys for persistence.	Process Creation, Scheduled Task Creation, Registry Events	Persistence	Medium
Look for unexpected child processes or network connections originating from newly installed utility applications after a long period of inactivity.	Process Creation, Network Connections	Execution / Command and Control	Low

Control Gaps

• Over-reliance on code-signing certificates for trust validation
• Lack of application control/whitelisting for unapproved utility software

Key Behavioral Indicators

• Productivity apps creating scheduled tasks
• Productivity apps modifying registry Run keys
• Delayed network connections from utility software weeks after installation
• Obfuscated resource files (e.g., resources.neu) within application directories

False Positive Assessment

• Medium

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Search for and quarantine the identified SHA256 hashes and associated domains within your environment.
• Review endpoints for unexpected scheduled tasks or registry Run keys created by utility applications.
• Consider revoking active tokens and resetting credentials for users identified as compromised by these applications.

Infrastructure Hardening

• Consider implementing application control or whitelisting to prevent the execution of unapproved productivity software.
• Evaluate restricting the ability of standard users to install unapproved software or browser extensions.

User Protection

• If your EDR supports it, ensure behavioral threat protection is enabled to catch post-exploitation activities like credential theft.
• Consider enforcing enterprise browsers to protect saved credentials from browser hijackers and stealers.

Security Awareness

• Educate users on the risks of downloading free utility software from search engine advertisements.
• Train employees to verify the source of productivity applications and use only IT-approved tools.

MITRE ATT&CK Mapping

• T1189 - Drive-by Compromise
• T1588.003 - Obtain Capabilities: Code Signing Certificates
• T1553.002 - Subvert Trust Controls: Code Signing
• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1497.003 - Virtualization/Sandbox Evasion: Time Based Evasion
• T1027 - Obfuscated Files or Information
• T1105 - Ingress Tool Transfer

Additional IOCs

• Domains:
  • crystalpdf[.]com - Domain associated with the malicious CrystalPDF application