Unknown threat actors compromised CPUID (“cpuid[.]com”), a website that hosted popular hardware monitoring tools such as CPU-Z, HWMonitor, HWMonitor Pro and PerfMonitor for less than 24 hours in order to provide a malicious executable for the software and deploy a remote access trojan called STX RAT.
The incident lasted from approximately April 9, 15:00 UTC, to April 10, 10:00 UTC, in which the download URLs of the CPU-Z and HW Monitor installers were replaced with links to malicious websites.
In a post shared on X, CPUID confirmed the breach, attributing it to the compromise of a “secondary feature (essentially a side API)” that was causing the main site to randomly display malicious links. It is worth noting that the attack had no impact on its signed core files.
According to Kaspersky, the names of the rogue websites are as follows –
- chahayilmukreatif.web[.]Identification
- pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]God
- transitopermo[.]com
- vatrobran[.]human resources
“The trojanized software was distributed as both zip archives and standalone installers for the above products,” the Russian cybersecurity company said. “These files contain a legitimate signed executable for the related product and a malicious DLL, named ‘CRYPTBASE.dll’ to take advantage of a DLL side-loading technique.”
On the other hand, the malicious DLL contacts an external server and executes additional payloads, but not before performing anti-sandbox checks to avoid detection. The ultimate goal of the campaign is to deploy a RAT with STX RAT, HVNC and comprehensive infostealer capabilities.
STX RAT “exposes an extensive command set for remote control, follow-on payload execution, and post-exploitation actions (e.g., in-memory execution of EXE/DLL/PowerShell/shellcode, reverse proxy/tunneling, desktop interaction),” eSentire said in an analysis of the malware last week.
Command-and-control (C2) server addresses and connection configurations have been reused from a prior campaign that leverages trojanized FileZilla installers hosted on fake sites to deploy similar RAT malware. The activity was documented by Malwarebytes early last month.
Kaspersky said it has identified more than 150 victims, mostly individuals who were affected by the incident. However, organizations in the retail, manufacturing, consulting, telecommunications and agriculture sectors have also been affected. Most of the infections are in Brazil, Russia and China.
“The most serious mistake made by the attackers was reusing the same infection chain associated with the STX RAT and the same domain name for C2 communications from a previous attack related to a fake FileZilla installer,” Kaspersky said. “The threat actor behind this attack has low overall malware development/deployment and operational security capabilities, making it possible to detect a watering hole compromise as soon as it begins.”
