Between 9th and 10th April 2026, a sophisticated supply chain attack compromised the official CPUID website, distributing malware-laden versions of popular hardware diagnostic tools CPU-Z and HWMonitor. During a brief window lasting approximately six to nineteen hours, attackers manipulated download links to serve trojanised installers that ultimately deployed STX RAT, a remote access trojan with information-stealing capabilities. This incident highlights how even seemingly low-risk utility software can become a dangerous attack vector when distribution channels are compromised.
The attackers didn't tamper with CPUID's legitimately signed binaries themselves; instead, they exploited a secondary API functionality within the CPUID infrastructure that controlled download links on the website. This allowed them to redirect users to malicious executables hosted on external Cloudflare R2 storage rather than the genuine software. The compromised versions included CPU-Z 2.19, HWMonitor 1.63, HWMonitor Pro 1.57, and PerfMonitor 2.04. Each trojanised installer combined a legitimate, signed executable with a malicious dynamic link library named CRYPTBASE.dll, designed to exploit DLL sideloading techniques.
DLL sideloading takes advantage of how certain applications load libraries from their own directory or predictable paths, allowing a planted malicious DLL to execute before the legitimate one. Once loaded, CRYPTBASE.dll performed anti-sandbox checks to evade automated analysis tools, then established communication with command-and-control infrastructure to receive further instructions and download additional components. The final payload, STX RAT, combines remote access trojan and information stealer capabilities, targeting system information, credentials, and other sensitive data. This poses particular risk on systems used for VPN access, single sign-on services, password managers, or system administration, where stolen credentials can rapidly escalate into unauthorised access to critical resources.
Technical analysis revealed infrastructure and configuration overlaps with previous campaigns, including one involving a fake FileZilla website distributing malicious downloads. This suggests an experienced threat actor with repeatable operational patterns, capable of adapting the same approach—popular download sites, sideloading packaging, and RAT delivery—across different targets. Researchers documented over 150 downloads of malicious variants, with victims spanning retail, manufacturing, consultancy, telecommunications, and agriculture sectors, predominantly in Brazil, Russia, and China.
For incident response, organisations should prioritise identifying endpoints that downloaded or installed affected versions during the 9th-10th April 2026 window and treat them as potentially compromised. Security teams should search for evidence of CRYPTBASE.dll, DLL sideloading traces associated with the installer, and network telemetry showing outbound connections to command-and-control infrastructure and published indicators of compromise. If execution is suspected, immediate isolation, forensic artefact collection, and credential rotation—including browser sessions, tokens, and corporate tool access—are essential. Longer term, this incident underscores the need for robust controls around auxiliary software, including allowlisting, signature verification, installer origin control, and monitoring for unusual changes in download chains, even for well-known tools.
Artículos relacionados de LaRebelión:
- IA Clona Software de Codigo Abierto Instantaneamente
- AI Revolutionising Software Development Lifecycles
- Malware Autopropagable Ataca Software de Codigo Abierto
- CanisterWorm Attack Spreads Across 47 npm Packages
- SUSE Sale EQT Eyes 6 Billion Enterprise Software Deal
Artículo generado mediante LaRebelionBOT
No hay comentarios:
Publicar un comentario