An unknown attacker has compromised CPUID (‘cpuid[.]com”), a website that hosts popular hardware monitoring tools such as CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor, served a malicious executable of software and deployed a remote access Trojan called STX RAT within 24 hours.
The incident lasted from approximately 15:00 UTC on April 9th to approximately 10:00 UTC on April 10th, where the CPU-Z and HWMonitor installer download URLs were replaced with links to malicious websites.
In a post shared on X, CPUID acknowledged the breach and said it was caused by a breach of a “secondary function (basically a side API)” that causes malicious links to appear randomly on the main site. It is noteworthy that this attack did not affect the original signed file.
According to Kaspersky, the names of the fraudulent websites are:
cahayailmukreatif.web[.]id pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]development transit palermo[.]com batroburan[.]time
“The Trojanized software was distributed as a ZIP archive and as a standalone installer for the aforementioned products,” the Russian cybersecurity company said. “These files contain legitimate signed executables from the corresponding products and a malicious DLL named ‘CRYPTBASE.dll’ to utilize DLL sideloading techniques. ”
The malicious DLL connects to an external server and executes an additional payload, but before doing so it performs anti-sandbox checks to evade detection. The ultimate goal of the campaign is to deploy the STX RAT, a RAT with HVNC and extensive information theft capabilities.
The STX RAT “exposes an extensive set of commands for remote control, subsequent payload execution, and post-exploitation actions (EXE/DLL/PowerShell/shellcode in-memory execution, reverse proxy/tunneling, desktop interaction, etc.),” eSentire said in an analysis of the malware last week.
Command and control (C2) server addresses and connection configurations have been reused from previous campaigns that leveraged Trojanized FileZilla installers hosted on fake sites to deploy the same RAT malware. This activity was documented by Malwarebytes early last month.
Kaspersky said it has identified more than 150 victims, most of whom are individuals affected by this incident. However, organizations in retail, manufacturing, consulting, telecommunications, and agriculture have also been affected. Most of the infections have occurred in Brazil, Russia, and China.
“The most significant mistake made by the attackers was reusing the same infection chain, including the STX RAT, and the same domain name for C2 communication from the previous attack related to the fake FileZilla installer,” Kaspersky said. “The overall malware development/deployment and operational security capabilities of the attackers behind this attack were so low that they were able to detect the watering hole breach as soon as it began.”
Source link
