- CPUID.com briefly compromised to serve malware
- Corrupted downloads used DLL sideloading with CRYPTBASE.dll
- Sophisticated Trojan installed, flagged by 20 AV engines
CPUID.com, a popular website for PC diagnostic tools, has confirmed that it was compromised and used to serve malware.
“Investigations are still ongoing, but it appears that a secondary feature (basically a page API) was compromised for approximately six hours between April 9th and April 10th, causing the main site to randomly display malicious links (our original signed files were not compromised),” the project’s maintainers said. Bleeping Computer. The breach was found and has since been fixed.”
In other words, the software hosted on CPUID wasn’t poisoned – it just served up various download links. Still, victims may think they are downloading legitimate software.
The article continues below
Not your typical malware
Kaspersky researchers found that the download links for this software were tainted:
CPU-Z (version 2.19)
HWMonitor Pro (version 1.57)
HWMonitor (version 1.63)
PerfMonitor (version 2.04)
The modified variants included a legitimate signed executable and a malicious DLL named ‘CRYPTBASE.dll’ used for DLL page loading.
“The malicious DLL is responsible for C2 [command and control] connection and further execution of payload. Prior to this, it also performs a set of anti-sandbox checks and if all checks are passed, it connects to the C2 server,” Kaspersky said.
At the same time, researchers from Igor’s Labs and vxunderground said the malware was quite sophisticated.
“When I started poking this with a stick, I discovered that this is not your typical run-of-the-mill malware,” stated vxunderground.
“This malware is deeply trojanized, distributes from a compromised domain (cpuid-dot-com), performs file masking, is multistage, operates (almost) entirely in memory, and uses some interesting methods to avoid EDRs and/or AVs, such as proxying NTDLL functionality from a .NET assembly.”
The website has since been cleaned up. VirusTotal shows that 20 antivirus engines currently flag the malware – some calling it the “Tedy Trojan”, others the “Artemis Trojan”. It appears to be an info stealer.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
