A long-running malvertising campaign is infecting organizations worldwide by delivering a backdoor through trojanized PDF documents, Sophos researchers have warned.
The campaign, dubbed TamperedChef, has been active for some time, but now it has expanded across Europe, mainly targeting organizations in Germany, the UK, and France.
According to researchers, TamperedChef has affected a wide range of industries, with a particular focus on organizations that rely on specialized technical equipment, where employees are more likely to search online for instruction manuals or PDF editing tools.
The attack begins when users search for appliance manuals or related software via search engines. Attackers place malicious adverts at the top of search results using paid promotion, search engine optimization, or both. The adverts direct users to convincing fake websites that prompt them to download what appears to be a legitimate document, but in reality is malware.
The malware is designed to steal credentials and establish persistent backdoor access to corporate networks. Sophos noted that the campaign employs a “large, multi-layered distribution network” and advanced evasion techniques, including delayed malware activation, decoy software, staged payload delivery, abuse of code-signing certificates, and attempts to bypass endpoint protection.
Once executed, the initial infostealer harvests browser-stored data and communicates with a command-and-control (C&C) server. It then downloads an additional trojanized application called ‘ManualFinderApp.exe,’ which functions as both an infostealer and a backdoor. To reduce the chance of detection, malicious activity does not begin until up to 56 days after the initial download.