Hackers Hijack CPUID Downloads to Distribute STX RAT
▼ Summary
– CPUID’s website was compromised for about six hours in early April, causing it to randomly redirect users to malicious download links instead of legitimate software.
– The attackers distributed trojanized installers containing legitimate CPUID software bundled with a malicious DLL file that could deploy a remote access trojan.
– Evidence, including a Russian-locality certificate and a reused malicious domain, strongly suggests the attack was carried out by a Russian-nexus threat actor.
– Security researchers identified over 150 victims, primarily individuals but also organizations across multiple sectors and countries.
– Affected users and organizations are advised to check systems for the malicious files, clean infections, and change any potentially compromised credentials.
A recent security incident saw the official website of a popular software provider compromised, redirecting users to malicious downloads for several hours. The breach, which affected CPUID’s platform, temporarily turned a trusted source for system utilities into a watering hole attack vector. Company contributor Samuel Demeulemeester confirmed that a secondary API feature was compromised between April 9 and April 10, causing the main site to intermittently display harmful links before the issue was identified and resolved.
CPUID hosts widely-used diagnostic tools like HWMonitor and CPU-Z, making it a high-value target. Users first raised alarms on social platforms on April 10, with one noting their antivirus software flagged a downloaded installer as malicious. Security researchers confirmed the redirects occurred during a specific window, from 15:00 UTC on April 9 to 10:00 UTC the following day. The attackers distributed trojanized software packages that contained both legitimate signed executables and a malicious DLL file named CRYPTBASE.dll, exploiting a DLL sideloading technique to execute their payload.
The malicious DLL established a command and control (C2) connection after performing anti-sandbox checks. Malware analyst Giuseppe Massaro identified that the attackers served their own compromised packages via redirects from Cloudflare R2 buckets, while CPUID’s original signed binaries remained untouched. The C2 domain used in this campaign had been previously associated with attacks targeting FileZilla users through a lookalike domain. Further investigation into a subdomain exposed the backend server, which utilized a certificate with Russian locality data and was hosted with a provider known for bulletproof hosting, suggesting a potential Russian-nexus threat actor.
This infrastructure was also linked to earlier campaigns exploiting Windows shortcut vulnerabilities, indicating the same group is behind both operations. The final payload delivered was the STX RAT, a remote access trojan designed to steal sensitive information including browser credentials, cryptocurrency wallet data, and FTP client details.
Despite the attackers’ operational security lapses, such as reusing previously flagged domains, telemetry indicates over 150 victims were infected, primarily individuals but also organizations across sectors like retail, manufacturing, and telecommunications, with notable infections in Brazil, Russia, and China. Security experts advise organizations to scan their systems for the malicious archives and executables, review DNS logs for connections to the identified malicious domains, and perform comprehensive credential resets if any evidence of compromise is found.
(Source: Help Net Security)