- At least five Google Ads campaigns operated, promoting usurped software
- Someone made a Tropish Different PDF publishers to deliver infosters
- Defenders warn against malicious infostability software
Be careful when downloading a program called “PDF Editor Appsuite” – there are poisoned variants circulating on the web.
At the end of June, Security Researchers Truesec saw several websites, all the usurpation of the program, being published. At the same time, at least five different Google advertising campaigns have been set up to promote websites.
Consequently, the one who sought “Appsuite PDF Editor” could have been on one of the many sites which served a trojanized version of the application. Those who downloaded it would obtain the usual installation process and the user license agreements in the foreground, while in the background, an infostealer and a stolen door called Tamperedchef was being deployed.
PDF editors responsible for malware
What makes this software maliciously particularly sinister is the deceptive delay with which it works. He will wait approximately 56 days before activating it, he is very likely to give threatened actors enough to distribute the infosteller to as many victims as possible, before being spotted by the defenders.
“The length of the beginning of [ad] Campaign until the 56 -day malicious update, which is close to the 60 -day duration of a typical Google advertising campaign, suggesting that the threat actor has left the advertising campaign to run his course, maximizing downloads, before activating malware, “said Truesec.
In the meantime, he will reach persistence via changes in the Windows registry and create different planned tasks. Once activated, Tamperedchef can collect browser identification information, session cookies and other sensitive data, mainly by completing the browser processes and using the Windows data protection API (DPAPI).
It also performs system recognition to detect antivirus protection tools or malware that the victim works and can operate as a stolen door to deploy additional malware.
Appsuite is also not the only PDF publisher being usurped in this campaign. The PDF Onestart and the editor -in -chief of PDF were all observed mistreated in the same (or adjacent) campaign.
Via The Hacker News
