The CPUID website, highly regarded among PC hardware enthusiasts, recently experienced a security breach. This compromise resulted in the distribution of malicious software versions of popular tools like CPU-Z, HWMonitor, and PerfMonitor.
Compromised Software Details
CPU-Z, HWMonitor, and PerfMonitor are widely used to analyze PC hardware performance. CPU-Z provides comprehensive system information about a computer’s components, HWMonitor tracks real-time sensor data, and PerfMonitor assesses processor performance. These applications, with millions of downloads, are essential for both individual users and businesses.
According to CPUID’s maintainer, a secondary feature of their site was attacked, leading to the intermittent display of links to third-party domains that hosted infected versions of these tools. However, the original software files on CPUID’s site remained secure.
Scope of the Security Breach
Kaspersky, a renowned cybersecurity firm, conducted an analysis of the attack, identifying it as a supply chain and watering hole tactic. During the breach, the CPUID website inadvertently served harmful installers for CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor.
The attack affected over 150 users, including individuals and companies across sectors like manufacturing and telecoms. Most infections were reported in Brazil, China, and Russia, although Kaspersky acknowledged limited visibility in North America and Europe.
Malware Distribution and Impact
The attackers used ZIP archives and standalone installers to distribute the legitimate software alongside a harmful file, cryptbase.dll, through DLL sideloading techniques. The primary objective was to deploy a new Windows malware known as STX RAT. This malware allows attackers to control compromised systems and steal sensitive data, including browser credentials and cryptocurrency wallets.
The incident reportedly began on April 10, with the breach lasting approximately six hours. However, Kaspersky’s findings suggest a longer compromise from April 9 to April 10. Breakglass Intelligence researchers linked this to a broader campaign involving trojanized FileZilla software, speculating the attack may have started on April 3, possibly orchestrated by a Russian-speaking threat actor.
This incident underscores the importance of cybersecurity vigilance and the need for organizations to protect themselves against supply chain attacks that can compromise widely used software.
