"The campaign is part of a larger operation with multiple apps that can download each other, some of them tricking users into enrolling their system into residential proxies. More than 50 domains have been identified to host deceiving apps signed with fraudulent certificates issued by at least four different companies. The campaign appears to be widespread and well-orchestrated as the operators waited for the ads to run their course before activating the malicious components in the applications, researchers say."
"Full update delivers infostealer A technical analysis from cybersecurity services company Truesec describes the process of TamperedChef infostealer being delivered to a user's system. The researchers discovered that the malware was delivered through multiple websites that promoted a free tool called AppSuite PDF Editor. Based on internet records, the investigators determined that the campaign started on June 26, when many of the websites involved were either registered or started to advertise AppSuite PDF Editor."
The operation used Google Ads to promote a fake AppSuite PDF Editor hosted across more than 50 domains. Deceiving apps were signed with fraudulent certificates from at least four companies and could download additional malicious apps, some designed to enlist systems as residential proxies. The malicious payload, TamperedChef, was present in the installer but remained inactive until an update on August 21 that enabled data-stealing features. The infostealer launches with a -fullupdate argument, checks for security products, and extracts browser-stored credentials and cookies using Windows DPAPI.
Read at BleepingComputer
Unable to calculate read time
Collection
[
|
...
]