CPUID Website Hacked to Serve Malware Through CPU-Z and HWMonitor Download Links

[harlan4096]

Hackers accessed a secondary API on the CPUID website between April 9 at 15:00 UTC and April 10 at around 10:00 UTC. During this time, the site served malicious download links instead of legitimate installers for several popular hardware monitoring utilities. CPUID has confirmed the breach and says the compromised API has been fixed. They are now serving clean versions of all affected tools.

Users who downloaded CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor during the six-hour period may have received tampered versions. However, CPUID's original signed binaries were not altered.

What Malware Was Delivered Through the CPUID Downloads

The malicious downloads were funneled through Cloudflare R2 storage and delivered a fake HWiNFO installer named HWiNFO_Monitor_Setup, packaged with a Russian Inno Setup wrapper. According to Kaspersky's analysis, the trojanized versions included a legitimately signed executable along with a malicious DLL called CRYPTBASE.dll, which was used for DLL sideloading.

The malicious DLL performed anti-sandbox checks before connecting to a command-and-control server and executing a final payload identified as STX RAT. This remote access trojan has infostealer capabilities and has been documented by researchers at eSentire. The malware operated almost entirely in memory and used techniques to evade endpoint detection and antivirus software.

The four affected software versions were:

• CPU-Z version 2.19
  
• HWMonitor Pro version 1.57
  
• HWMonitor version 1.63
  
• PerfMonitor version 2.04.
  

Continue Reading...