Unknown menace actors compromised CPUID (“cpuid[.]com”), an internet site that hosts in style {hardware} monitoring instruments like CPU-Z, HWMonitor, HWMonitor Professional, and PerfMonitor, for lower than 24 hours to serve malicious executables for the software program and deploy a distant entry trojan known as STX RAT.
The incident lasted from roughly April 9, 15:00 UTC, to about April 10, 10:00 UTC, with the obtain URLs for CPU-Z and HWMonitor installers changed with hyperlinks to malicious web sites.
In a put up shared on X, CPUID confirmed the breach, attributing it to a compromise of a “secondary function (mainly a aspect API)” that brought on the primary web site to randomly show malicious hyperlinks. It is value noting that the assault didn’t influence its signed unique recordsdata.
In accordance to Kaspersky, the names of the rogue web sites are as follows –
- cahayailmukreatif.internet[.]id
- pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev
- transitopalermo[.]com
- vatrobran[.]hr
“The trojanized software program was distributed each as ZIP archives and as standalone installers for the aforementioned merchandise,” the Russian cybersecurity firm mentioned. “These recordsdata include a respectable signed executable for the corresponding product and a malicious DLL, which is called ‘CRYPTBASE.dll’ to leverage the DLL side-loading method.”
The malicious DLL, for its half, contacts an exterior server and executes extra payloads, however not earlier than performing anti-sandbox checks to sidestep detection. The finish objective of the marketing campaign is to deploy STX RAT, a RAT with HVNC and broad infostealer capabilities.
STX RAT “exposes a broad command set for distant management, follow-on payload execution, and post-exploitation actions (e.g., in-memory execution of EXE/DLL/PowerShell/shellcode, reverse proxy/tunneling, desktop interplay),” eSentire mentioned in an evaluation of the malware final week.
The command-and-control (C2) server tackle and the connection configuration have been reused from a previous marketing campaign that leveraged trojanized FileZilla installers hosted on bogus websites to deploy the identical RAT malware. The exercise was documented by Malwarebytes early final month.
Kaspersky mentioned it has recognized greater than 150 victims, principally people who have been affected by the incident. Nonetheless, organizations in retail, manufacturing, consulting, telecommunications, and agriculture have additionally been impacted. Most of the infections are positioned in Brazil, Russia, and China.
“The gravest mistake attackers made was to reuse the identical an infection chain involving STX RAT, and the identical domains for C2 communication, from the earlier assault associated to faux FileZilla installers,” Kaspersky mentioned. “The general malware growth/deployment and operational safety capabilities of the menace actor behind this assault are fairly low, which, in flip, made it doable to detect the watering gap compromise as quickly because it began.”
