Acronis TRU tracked a global malvertising and SEO-driven campaign named “TamperedChef” that distributes digitally signed fake installers which persist via scheduled tasks and execute heavily obfuscated JavaScript backdoors with remote code execution and HTTPS-based C2. The operators use U.S.-registered shell companies to acquire and rotate code-signing certificates, short-lived domain registrations, and malvertising/SEO to hide infrastructure and quickly recover after takedowns. #TamperedChef #Obfuscator_io
Keypoints
- TamperedChef distributes legitimate-looking fake installers via malvertising and SEO to lure users into installing applications that later fetch malicious payloads.
- Operators use U.S.-registered shell companies to obtain EV/code-signing certificates, reissuing signatures rapidly after revocation to maintain trust.
- Persistence is achieved solely through scheduled tasks created from a dropped task.xml file that runs an obfuscated JavaScript payload every 24 hours with randomized delay.
- The delivered JavaScript backdoors are heavily obfuscated (using obfuscator.io), suppress debug output, fingerprint machines via registry queries, and support remote code execution and encrypted JSON C2 communication over HTTPS.
- Pivots revealed many samples contacting domains like api[.]mxpanel[.]com and api[.]mixpnl[.]com and additional shell-company signers following the same pattern.
- Possible impacts include initial access resale, credential and data theft (notably in healthcare), ransomware staging, or opportunistic espionage.
- Defender recommendations include MDR/24/7 monitoring, restricting installation rights, patching endpoints, and user training to avoid malvertising and fake download pages.
MITRE Techniques
- [T1189] Drive-by Compromise – Operators used malicious advertisements to lure users into downloading the fake applications. Quote: ‘Operators used malicious advertisements to lure users into downloading the fake applications.’
- [T1204.002] User Execution: Malicious File – The campaign relies on the user installing the fake application. Quote: ‘The campaign relies on the user installing the fake application.’
- [T1059.007] Command and Scripting Interpreter: JavaScript – The fake application deploys a JavaScript payload as backdoor. Quote: ‘The fake application deploys a JavaScript payload as backdoor.’
- [T1053.005] Scheduled Task/Job: Scheduled Task – Persistence is done by creating a scheduled task and a task.xml file for configuration. Quote: ‘Persistence is done by creating a scheduled task and a task.xml file for configuration.’
- [T1036.001] Masquerading: Invalid Code Signature – The downloaded fake application utilizes digital signature to increase “legitimacy” of the application. Quote: ‘The downloaded fake application utilizes digital signature to increase “legitimacy” of the application.’
- [T1027] Obfuscated Files or Information – The JavaScript payload is heavily obfuscated. Quote: ‘The JavaScript payload is heavily obfuscated.’
- [T1012] Query Registry – The payload performs registry query to look for the victim’s machine ID. Quote: ‘The payload performs registry query to look for the victim’s machine ID.’
- [T1071.001] Application Layer Protocol: Web Protocols – It uses HTTP/S to communicate with the C2 server. Quote: ‘It uses HTTP/S to communicate with the C2 server.’
- [T1132.001] Data Encoding: Standard Encoding – The JSON payload is encoded with base63 encoding. Quote: ‘The JSON payload is encoded with base63 encoding.’
Indicators of Compromise
- [File Hash ] Signed fake installers – a16ecfcf5e6d7742f0e642309c3a0bf84eaf21962e663ce728f44c93ee70a28e (AllManualsReader_oc.exe), 05d9f4426ad77fcf73a357a4f5ca1d0cf9ceccf44117c1bc829afb79a2f8671b (MasterChess_oc.exe)
- [File Hash ] JavaScript payloads – 467876a203eb2c2b01b2d58f1e00271cb6bb75834af08a67e2c69fa0e4788ea5, 167359b715610003752cbc89b122a6df97e501304cb4a1ee94a6e75ebf51d6d6 (obfuscated backdoors)
- [File Name ] Task configuration files – Task.xml – examples: 80f90b9e563e1cfe981a9faf24c9430198bb15916a2dc5e75d14227a8fab9cb6, bdafb81fa5a41728d578b0682a6e7f9095250161558431184093acc3641573fa (and many other Task.xml hashes)
- [Domain/URL ] Download URLs (malicious landing/download) – hxxps://download[.]allmanualsreader[.]com/AllManualsReader_oc[.]exe, hxxps://download[.]manualreaderpro[.]com/d/manualreaderpro[.]exe (numerous similar download domains)
- [Domain ] Command-and-control servers – api[.]78kwijczjz0mcig0f0[.]com, api[.]zxg4jy1ssoynji24po[.]com (and many other api[.]*.com C2 domains)