- CPUID.com briefly compromised to serve malware
- Tainted downloads used DLL sideloading with CRYPTBASE.dll
- Sophisticated Trojan deployed, flagged by 20 AV engines
CPUID.com, a popular website for PC diagnostics tools has confirmed it was compromised and used to serve malware.
“Investigations are still ongoing, but it appears that a secondary feature (basically a side API) was compromised for approximately six hours between April 9 and April 10, causing the main website to randomly display malicious links (our signed original files were not compromised),” the project’s maintainers told BleepingComputer. The breach was found and has since been fixed.”
In other words, the software hosted on CPUID was not poisoned – it was merely serving different download links. Still, victims might think they’re downloading legitimate software.
Article continues below
Not your typical malware
Researchers from Kaspersky found that the download links for this software was tainted:
CPU-Z (version 2.19)
HWMonitor Pro (version 1.57)
HWMonitor (version 1.63)
PerfMonitor (version 2.04)
The modified variants included a legitimate, signed executable and a malicious DLL named ‘CRYPTBASE.dll’, used for DLL sideloading.
“The malicious DLL is responsible for C2 [command and control] connection and further payload execution. Prior to this, it also performs a set of anti-sandbox checks and, if all the checks have passed, it connects to the C2 server,” Kaspersky said.
At the same time, researchers from Igor’s Labs and vxunderground said the malware was rather sophisticated.
“As I began poking this with a stick, I discovered this is not your typical run-of-the-mill malware,” stated vxunderground.
“This malware is deeply trojanized, distributes from a compromised domain (cpuid-dot-com), performs file masquerading, is multi-staged, operates (almost) entirely in-memory, and uses some interesting methods to evade EDRs and/or AVs such as proxying NTDLL functionality from a .NET assembly.”
The website has since been cleaned up. VirusTotal shows that currently 20 antivirus engines are flagging the malware – some call it “Tedy Trojan”, others “Artemis Trojan”. It seems to be an infostealer.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/sqGgDPxHyGtqunPo56h9cL-2560-80.jpg
Source link
