Unknown cybercriminals recently targeted CPUID’s website, cpuid[.]com, which is known for its popular hardware monitoring tools, including CPU-Z and HWMonitor. This breach, lasting less than a day, enabled the attackers to distribute malicious versions of the software that installed a remote access trojan (RAT) known as STX RAT.
Details of the Security Breach
The incident unfolded between April 9 at 15:00 UTC and April 10 at 10:00 UTC. During this period, download links for CPU-Z and HWMonitor were redirected to harmful websites. CPUID acknowledged the breach on X, attributing it to a compromised secondary API feature on their site. Fortunately, the original signed files remained unaffected during the attack.
Security firm Kaspersky identified several rogue websites involved in this breach, including cahayailmukreatif.web[.]id and pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev, among others. The attackers distributed compromised software as ZIP archives and standalone installers that included both legitimate executables and a malicious DLL named ‘CRYPTBASE.dll’. This DLL employed a side-loading technique to execute further malicious payloads.
STX RAT Capabilities and Distribution
The malicious DLL initiated contact with an external server to deploy additional payloads, conducting anti-sandbox checks to avoid detection. The primary objective was to install STX RAT, which is equipped with extensive capabilities such as hidden virtual network computing (HVNC) and data-stealing features.
An analysis by eSentire revealed that STX RAT offers a wide range of commands for remote control, execution of subsequent payloads, and other post-exploitation tasks. These include in-memory execution of various file types and desktop interaction. The threat actors recycled a command-and-control (C2) server configuration from a previous campaign that involved fake FileZilla installers, which was documented by Malwarebytes last month.
Impact and Detection
Kaspersky’s investigation identified over 150 victims, predominantly individual users. However, organizations in sectors such as retail, manufacturing, and telecommunications were also affected, with most incidents reported in Brazil, Russia, and China.
Experts noted that the attackers’ major error was reusing the same infection chain and C2 domains from previous attacks, which compromised their operational security and facilitated the detection of the breach. This oversight by the threat actors enabled cybersecurity teams to identify and mitigate the attack promptly.
The CPUID breach underscores the ongoing challenges in the cybersecurity landscape, highlighting the need for continuous vigilance and improved security measures to protect against such threats.
