Unit 42 Tracks TamperedChef Malware Clusters Using Certificate and Code Reuse Analysis

Executive Summary

Researchers at Unit 42 have detailed ongoing campaigns involving TamperedChef-style malware, a sophisticated threat that disguises itself as legitimate productivity software. Distributed primarily through malvertising, these trojanized applications evade detection by remaining dormant for weeks or months. Once active, they function as a downloader for more dangerous payloads, such as information stealers and remote access trojans (RATs). The malware employs tactics traditionally seen in Potentially Unwanted Programs (PUPs), including deceptive EULAs, but its capabilities for stealth, persistence, and remote command execution place it firmly in the malware category. Unit 42 has tracked over 4,000 samples across three distinct activity clusters, highlighting a significant and evolving threat that leverages social engineering and technical evasion to compromise victims.

Threat Overview

TamperedChef (also known as EvilAI) represents a style of attack rather than a single threat group. The core of the campaign involves creating trojanized versions of common productivity tools like PDF editors, calendar apps, and file converters. These malicious applications are promoted through aggressive malvertising campaigns that redirect users to professionally designed websites hosting the downloads.

The malware is engineered for stealth and longevity. Unlike typical adware that is immediately noisy, TamperedChef applications often provide the advertised functionality and remain dormant for an extended period. This long incubation period allows the software to bypass initial security checks and lulls the victim into a false sense of security. After this dormant phase, the malware initiates contact with a command and control (C2) server to receive instructions and download additional malicious payloads. This capability transforms the seemingly harmless application into a dangerous backdoor for attackers, enabling them to steal credentials, deploy ransomware, or use the victim's machine as a proxy.

Unit 42 has identified three major clusters of this activity, tracked as CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110. The operators use deceptive EULAs and legitimate-looking websites, such as crystalpdf.com, to add a veneer of legitimacy and legally protect their questionable activities. However, the ability to remotely execute commands and deploy malware without user consent firmly categorizes TamperedChef as a malicious threat, not just an aggressive PUP.

Technical Analysis

The operators behind TamperedChef employ a combination of social engineering and technical evasion to succeed.

Initial Access and Distribution:

1. Malvertising (T1566.001 - Phishing: Spearphishing Link): The primary infection vector is malicious advertising that pushes users toward attacker-controlled websites.
2. User Execution (T1204.002 - Malicious Link): The user is tricked into downloading and running the trojanized productivity application, believing it to be legitimate software.

Defense Evasion and Persistence:

• Long Dormancy Period: The malware delays execution of its malicious components for weeks or months to evade sandbox analysis and behavioral detection systems.
• Sandbox Evasion (T1497 - Virtualization/Sandbox Evasion): The application checks for signs of a virtualized or analysis environment before activating.
• Code Signing: Attackers use unique code signing certificates to make the software appear legitimate and bypass basic security warnings. Over 81 unique code signing organizations were identified.
• Deceptive EULAs: The use of lengthy and confusing End-User License Agreements attempts to provide legal cover for the software's invasive actions.
• Persistence (T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder): The malware establishes persistence through common autostart mechanisms to ensure it runs after a reboot.

Command and Control & Payload Delivery:

• C2 Communication (T1071.001 - Application Layer Protocol: Web Protocols): Once active, the malware communicates with a C2 server over standard web protocols (HTTP/HTTPS) to blend in with normal network traffic.
• Ingress Tool Transfer (T1105 - Ingress Tool Transfer): The primary function after activation is to download and execute secondary payloads. These can include:
  • Information Stealers
  • Remote Access Trojans (RATs)
  • Proxy Tools (turning the victim into a residential proxy)
  • Adware

This behavior indicates that the operators may be diversifying their revenue streams, acting as initial access brokers for other threat actors.

Impact Assessment

The impact of a TamperedChef infection can be severe. Initially, the impact may seem low, resembling that of adware. However, the true danger lies in the payload delivery capability. A successful infection can lead to:

• Data Theft: Deployment of information stealers can result in the exfiltration of sensitive personal and financial data, browser credentials, and other confidential information.
• Complete System Compromise: The installation of a RAT gives an attacker full remote control over the victim's machine, enabling further lateral movement, surveillance, or deployment of ransomware.
• Financial Loss: Stolen credentials can be used for financial fraud. The victim's machine may also be used for malicious activities like click fraud or as part of a botnet, potentially incurring costs for the user.
• Initial Access Brokerage: The infected machine can be sold as a foothold into a personal or corporate network, leading to much larger and more damaging security incidents.

Because the malware remains dormant for so long, it is extremely difficult for victims and security teams to trace the initial source of the compromise, complicating incident response and remediation efforts.

IOCs — Directly from Articles

No specific file hashes or IP addresses were provided in the source article. The following domain was mentioned as an example of a distribution site:

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns that could indicate TamperedChef-style activity:

Detection & Response

Detecting TamperedChef requires a multi-layered approach that goes beyond traditional antivirus signatures.

• Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor for suspicious process chains, such as a PDF reader spawning a PowerShell process or making outbound network connections. Look for signs of persistence in registry run keys or startup folders.
• Network Traffic Analysis (D3-NTA): Monitor egress network traffic for connections from unusual applications. Baseline normal traffic and alert on deviations, especially connections to newly observed domains or those with a poor reputation. Use SSL/TLS inspection to gain visibility into encrypted C2 channels.
• File Analysis (D3-FA): Submit suspicious software installers to sandboxing environments for dynamic analysis. Be aware that the malware may employ sandbox evasion, so results should be carefully reviewed.
• User Training: Educate users on the dangers of downloading software from unvetted sources and the risks associated with malvertising. Encourage them to use official app stores or vendor websites.

Mitigation

Mitigating the risk of TamperedChef requires a combination of technical controls and user awareness.

• Application Whitelisting (D3-EAL): Implement application control policies to restrict the execution of unauthorized software. This is one of the most effective controls against this type of threat.
• Restrict User Permissions: Ensure users operate with standard (non-administrative) privileges to limit the malware's ability to establish persistence and modify the system.
• Network Segmentation (D3-NI): Segment networks to prevent lateral movement if a machine becomes compromised. Restrict outbound traffic from workstations to only what is necessary for business operations.
• Ad Blockers and Web Filtering: Deploy ad-blocking technology and web filters to reduce the risk of users encountering malvertising in the first place.
• Software Updates (D3-SU): While not a direct defense against this social engineering tactic, keeping all software and operating systems patched reduces the overall attack surface available to secondary payloads.