Unknown threat actors compromised CPUID (“cpuid[.]com”), a website that hosts popular hardware monitoring tools like CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor, for less than 24 hours to serve malicious executables for the software and deploy a remote access trojan called STX RAT.
The incident lasted from approximately April 9, 15:00 UTC, to about April 10, 10:00 UTC, with the download URLs for CPU-Z and HWMonitor installers replaced with links to malicious websites.
In a post shared on X, CPUID confirmed the breach, attributing it to a compromise of a “secondary feature (basically a side API)” that caused the main site to randomly display malicious links. It’s worth noting that the attack did not impact its signed original files.
According to Kaspersky, the names of the rogue websites are as follows –
- cahayailmukreatif.web[.]id
- pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev
- transitopalermo[.]com
- vatrobran[.]hr
“The trojanized software was distributed both as ZIP archives and as standalone installers for the aforementioned products,” the Russian cybersecurity company said. “These files contain a legitimate signed executable for the corresponding product and a malicious DLL, which is named ‘CRYPTBASE.dll’ to leverage the DLL side-loading technique.”
The malicious DLL, for its part, contacts an external server and executes additional payloads, but not before performing anti-sandbox checks to sidestep detection. The end goal of the campaign is to deploy STX RAT, a RAT with HVNC and broad infostealer capabilities.
STX RAT “exposes a broad command set for remote control, follow-on payload execution, and post-exploitation actions (e.g., in-memory execution of EXE/DLL/PowerShell/shellcode, reverse proxy/tunneling, desktop interaction),” eSentire said in an analysis of the malware last week.
The command-and-control (C2) server address and the connection configuration have been reused from a prior campaign that leveraged trojanized FileZilla installers hosted on bogus sites to deploy the same RAT malware. The activity was documented by Malwarebytes early last month.
Kaspersky said it has identified more than 150 victims, mostly individuals who were affected by the incident. However, organizations in retail, manufacturing, consulting, telecommunications, and agriculture have also been impacted. Most of the infections are located in Brazil, Russia, and China.
“The gravest mistake attackers made was to reuse the same infection chain involving STX RAT, and the same domain names for C2 communication, from the previous attack related to fake FileZilla installers,” Kaspersky said. “The overall malware development/deployment and operational security capabilities of the threat actor behind this attack are quite low, which, in turn, made it possible to detect the watering hole compromise as soon as it started.”