Cybercriminals have devised a new strategy to deliver malicious software by exploiting trust in legitimate applications. A recent attack involves weaponizing HWMonitor, a popular hardware monitoring tool from CPUID, to distribute the remote access trojan (RAT) known as STX RAT.
Deceptive Software Distribution
By embedding malware within what seems to be a regular software update, attackers are bypassing initial user hesitations and infiltrating systems without raising alarms. The attack begins with a compromised download link that provides a ZIP file posing as a legitimate HWMonitor installer.
Once the archive is extracted, it drops both the authentic HWMonitor_x64.exe and a malicious DLL named CRYPTBASE.dll in the same directory. The trust users place in well-known software tools makes this method particularly effective for initial breaches.
Detailed Analysis by Gurucul
Gurucul’s experts have dissected this threat, uncovering its distribution via a Cloudflare R2-hosted URL. Their analysis revealed a complex multi-stage process aimed at evading detection while executing the STX RAT entirely in memory, leaving minimal forensic traces on affected systems.
Central to this attack is the DLL sideloading technique. The malicious CRYPTBASE.dll is intentionally placed in the application’s directory, ensuring that when HWMonitor_x64.exe runs, it loads the attacker-controlled DLL instead of the genuine Windows library.
In-Depth Malware Capabilities
Once activated, STX RAT enables attackers to capture screen activity, gather detailed system data, identify installed security software, and maintain continuous remote control. Embedded tracking identifiers indicate a coordinated effort targeting multiple systems simultaneously.
The malware’s architecture includes a dual-thread operation that maintains HWMonitor’s normal appearance while executing attacks in the background. This design helps avoid detection by unsuspecting users.
Defensive Strategies and Future Outlook
Security teams should be vigilant for unusual DLL loading patterns, particularly instances where system DLLs originate from application folders rather than standard paths. Blocking unexpected DLL loads, using memory-based threat detection, and monitoring unusual outbound HTTPS traffic are recommended protective measures.
Gurucul’s SIEM platform offers insights into suspicious activities like DLL sideloading and in-memory execution, aiding in the prevention of such sophisticated cyber threats.
Security professionals must remain proactive, adapting to evolving threats and employing comprehensive monitoring solutions to safeguard against such advanced attack techniques.
