CPUID Breach Spreads STX RAT with Trojanized CPU-Z and HWMonitor Downloads
Unknown threat actors have compromised CPUID (“cpuid[.]com”), a website that hosts popular hardware monitoring tools such as CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor, in less than 24 hours to deliver a malicious software exploit and deploy a remote access trojan called STX RAT.
The incident lasted from approximately April 9, 15:00 UTC, to approximately April 10, 10:00 UTC, the CPU-Z download URLs and HWMonitor installers were replaced with links to malicious websites.
In a post shared on X, CPUID confirmed the breach, attributing it to a “secondary feature (basically a side API)” vulnerability that caused the main site to randomly display malicious links. It is worth noting that the attack did not affect its original signed files.
According to Kaspersky, the names of malicious websites are as follows:
- cahailmukreatif.web[.]id
- pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev
- transitopalermo[.]com
- vatrobran[.]Mr
“The trojan-made software was distributed both as ZIP archives and as standalone installers for the above-mentioned products,” the Russian cybersecurity firm said. “These files contain the official signed executable of the corresponding product and a malicious DLL, named ‘CRYPTBASE.dll’ to execute the DLL sideloading process.”
A malicious DLL, on the other hand, contacts an external server and releases additional payloads, but not before checking the anti-sandbox to avoid detection. The ultimate goal of the campaign is to use the STX RAT, a RAT with HVNC and extensive infostealer capabilities.
The STX RAT “exposes a wide range of remote control commands, executable payloads, and background exploits (eg, EXE/DLL/PowerShell/shellcode memory extraction, back proxy/tunneling, desktop interactions),” eSentire said in a malware analysis last week.
The Command-control (C2) server address and connection settings were reused from a previous campaign that used FileZilla installers hosted on fake sites to deploy the same RAT malware. The work was reported by Malwarebytes early last month.
Kaspersky said they have identified more than 150 victims, most of whom are people affected by the incident. However, marketing, manufacturing, consulting, telecommunications and agricultural organizations have also had an impact. Most of the diseases are found in Brazil, Russia and China.
“The biggest mistake the attackers made was to reuse the same infection chain involving the STX RAT, and the same domain names for C2 connections, from previous attacks related to fake FileZilla installers,” Kaspersky said. “The development/deployment of the malware and the operational security capabilities of the threat actor behind this attack are extremely low, making it possible to detect the watering hole vulnerability as soon as it started.”
