Bogus PDF editing app leveraged to deploy TamperedChef infostealer

BleepingComputer reports that numerous domains have been leveraged by threat actors to deliver the fraudulent AppSuite PDF Editor app containing the TamperedChef information-stealing malware as part of a potentially far-reaching attack campaign that began in late June. Attackers have used Google Ads to promote the illicit domains that distribute the malware-laced app, which not only inspects for installed security agents but also uses Windows' Data Protection Application Programming Interface to query browsers' databases, according to findings from Truesec, which also noted the use of OneStart and Epibrowser apps in the campaign. "Truesec has observed at least 5 different Google campaign IDs which suggests a widespread campaign," said Truesec. Another report from managed detection and response company Expel showed the usage of OneStart to facilitate the retrieval AppSuite-PDF and PDF Editor. "The initial downloads for OneStart, AppSuite-PDF, and PDF Editor are being distributed by a large ad campaign advertising PDFs and PDF editors. These ads direct users to one of many websites offering downloads of AppSuite-PDF, PDF Editor, and OneStart," Expel researchers said.