- At least five Google advertisement campaigns were running, promoting falsified software
- Somebroaded by different PDF editors to deliver infants
- Defenders warn about tamperedchef infostealing malware
Be careful when downloading a program called “PDF Appsuite Editor”: There are poisoned variants that circulate on the web.
At the end of June, Truesec Security Researchers saw multiple websites, all falsifying the program, published. At the same time, at least five different Google ADS campaigns were configured to promote websites.
Therefore, who sought ‘Appsuite PDF Editor’ could have ended in one of the many sites that were serving a troyanized version of the application. Those who downloaded it would obtain the usual installation process and the user license agreements indicate in the foreground, while in the background, an Infoptealer and a rear door called Tamperedchef was implemented.
PDF editors loaded with malware
What makes this malware particularly sinister is the deceptive delay with which it operates. It will wait approximately 56 days before activation, with the greatest probability of giving threat actors enough time to distribute the most possible victims to Infoptealer, before being seen by the defenders.
“The length from the beginning of the [ad] Campaign until the malicious update was also 56 days, which is close to the duration of the 60 days of a typical Google advertising campaign, which suggests that the threat actor let the advertising campaign perform its course, maximizing the downloads, before activating the malicious characteristics, “said Truesec.
Meanwhile, it will achieve persistence through modifications of the Windows Registry and create different scheduled tasks. Once activated, Tamperedchef can collect browser credentials, session cookies and other confidential data, mainly finishing browser processes and exploiting the Windows data protection API (DPAPI).
He also recognizes the system to detect what antivirus tools or malware protection that the victim is running, and can function as a rear door to implement additional malware.
Appsuite is not the only PDF editor that is being falsified in this campaign. PDF Uronart, and editor of PDF, have been observed abused in the same campaign (or adjacent).
Through The hacker news
