In a stark reminder of the ever-present dangers lurking in the digital realm, CPUID, the trusted purveyor of essential hardware monitoring tools like CPU-Z and HWMonitor, recently fell victim to a sophisticated cyberattack. For a brief but critical period, unknown threat actors compromised the official cpuid.com website, weaponizing legitimate software downloads to distribute the formidable STX Remote Access Trojan (RAT).
The Breach: A Swift and Stealthy Strike
The incident, spanning less than 24 hours from approximately April 9, 15:00 UTC, to April 10, 10:00 UTC, saw the download links for CPU-Z and HWMonitor installers surreptitiously replaced with pathways to malicious websites. CPUID swiftly confirmed the breach via a post on X, clarifying that the compromise stemmed from a “secondary feature (basically a side API),” which led to the main site intermittently displaying these rogue links. Crucially, the integrity of CPUID’s signed original files remained uncompromised, meaning only downloads during the specific window were affected.
Rogue Domains Identified
firm Kaspersky has identified several malicious domains leveraged in this attack:
- cahayailmukreatif.web[.]id
- pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev
- transitopalermo[.]com
- vatrobran[.]hr
Anatomy of the Trojanized Downloads
The attackers employed a cunning strategy to infect users. The malicious software was distributed as both ZIP archives and as standalone installers. According to Kaspersky, these trojanized packages contained a legitimate, signed executable of the intended product (CPU-Z or HWMonitor) alongside a malicious DLL named ‘CRYPTBASE.dll’. This setup ingeniously exploited the DLL side-loading technique, a common method for malware to execute stealthily.
Once loaded, the ‘CRYPTBASE.dll’ initiated contact with an external command-and-control server. Before fetching additional payloads, it performed anti-sandbox checks, a tactic designed to evade detection by security analysis environments. The ultimate objective of this elaborate chain was the deployment of the STX RAT.
STX RAT: A Potent Infostealer and Remote Control Tool
STX RAT is a highly capable remote access trojan, boasting both HVNC (Hidden Virtual Network Computing) and extensive infostealer functionalities. As detailed by eSentire in a recent analysis, STX RAT offers a broad spectrum of commands for threat actors, including:
- Remote control over infected systems.
- Execution of follow-on payloads.
- Advanced post-exploitation actions, such as in-memory execution of EXEs, DLLs, PowerShell scripts, and shellcode.
- Reverse proxy/tunneling capabilities.
- Direct desktop interaction.
A Familiar Foe, A Critical Error
Intriguingly, the command-and-control (C2) server addresses and connection configurations used in this CPUID breach were a direct reuse from a previous campaign. That earlier attack, documented by Malwarebytes, involved trojanized FileZilla installers hosted on fake websites, also deploying the STX RAT malware. This critical operational security blunder proved to be the attackers’ undoing.
Kaspersky noted, “The gravest mistake attackers made was to reuse the same infection chain involving STX RAT, and the same domain names for C2 communication, from the previous attack related to fake FileZilla installers.” This oversight, indicative of relatively low malware development and operational security capabilities, allowed the watering hole compromise to be detected swiftly.
Victims and Global Impact
Kaspersky has identified over 150 victims, predominantly individuals. However, the attack’s reach extended to organizations across various sectors, including retail, manufacturing, consulting, telecommunications, and agriculture. Geographically, the majority of infections were concentrated in Brazil, Russia, and China.
Staying Vigilant in a Compromised Landscape
This incident underscores the critical importance of verifying software downloads, even from seemingly reputable sources. Users are advised to exercise extreme caution, ensure their security software is up-to-date, and consider checksum verification for critical downloads when available. The digital landscape demands constant vigilance, as even trusted platforms can become unwitting conduits for sophisticated threats.
For more details, visit our website.
Source: Link
Leave a comment