Hackers hijacked CPUID downloads, served STX RAT to victims

If you tried to download software from CPUID’s website late last week, you might have downloaded malware instead.

“Investigations are still ongoing, but it appears that a secondary feature (basically a side API) was compromised for approximately six hours between April 9 and April 10, causing the main website to randomly display malicious links (our signed original files were not compromised),” Samuel Demeulemeester, a contributor to CPUID, stated on Friday, and apologized to affected users.

“The breach was found and has since been fixed,” he added.

A poisoned “watering hole”

CPUID (at cpuid[.]com) is a website that hosts free software utilities, primarily for Windows and Android.

Among its most popular utilities are HWMonitor, a hardware monitoring program that reads a PC’s main health sensors, and CPU-Z, a utility that collects detailed information about PCs’ processor, codename, process, package, and cache levels.

Alerts that something was wrong started popping up on Reddit on Friday, April 10, and one user noted that their antivirus flagged the downloaded HWiNFO_Monitor_Setup.exe as malicious.

Kaspersky researchers say that the CPUID website redirected to malicious download from April 9, 15:00 UTC to April 10, 10:00 UTC.

“The trojanized software was distributed both as ZIP archives and as standalone installers for aforementioned products. These files contain a legitimate signed executable for the corresponding product and a malicious DLL which is named CRYPTBASE.dll to leverage the DLL Sideloading technique,” they explained.

“The malicious DLL is responsible for C2 connection and further payload execution. Prior to this, it also performs a set of anti-sandbox checks and, if all the checks have passed, it connects to the C2 server.”

Malware researcher Giuseppe Massaro also flagged the CPU-Z, HWMonitor Pro, PerfMonitor, and PowerMAX downloads as trojanized/malicious.

“CPUID’s original signed binaries were NOT compromised — the attacker served their own trojanized packages via redirect,” Massaro found. “The compromised API caused download links to randomly redirect to malicious URLs (Cloudflare R2 buckets).”

The command and control domain (at supp0v3[.]com) from which the malware has been downloaded has been previously used in a malware campaign targeting FileZilla users with a lookalike domain and a trojanized download.

A subdomain (ai.supp0v3.com) esposed the backend server, Massaro also discovered during his analysis.

“The server uses a stolen or self-signed VK.com (VKontakte) wildcard certificate with Russian locality data (Saint Petersburg). This, combined with the bulletproof hosting choice (Global Connectivity Solutions — a provider frequently used for malicious hosting), strongly suggests a Russian-nexus threat actor,” he noted.

“The same IP was used for earlier .url shortcut exploits (CVE-2023-36025 SmartScreen bypass) targeting LibreOffice and Google Drive downloads, sharing VBS payloads via WebDAV (file://147.45.178.61@80/file/…). This connects the current DLL sideloading campaign to an earlier Windows shortcut exploit campaign by the same actor.”

What to do?

The malicious payload in this watering hole campaign is the STX RAT, a persistent remote access trojan with credential and data theft capabilities. According to eSentire, it’s after browser credentials/cookies, crypto-wallets, and FTP client credentials.

Kaspersky researchers pointed out that the attackers’ mistakes – reusing a previously flagged infection chain and domain names used in previous attacks – resulted in a speedy detection of this latest watering hole attack.

Nevertheless, based on their telemerty, they have identified more than 150 victims, most of them individuals.

“However, several organizations from various sectors, including retail, manufacturing, consulting, telecommunications and agriculture, were also affected with most infections in Brazil, Russia and China,” they added.

They advised organizations to check their systems for traces of the malicious archives and executable files related to this attack, and to examine DNS logs for the malicious websites from which the trojanized installers have been downloaded.

If evidence of compromise is discovered, organizations (and individuals) should clean affected systems and change all the credentials the malware might have compromised.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!