- CPUID.com Briefly Compromised to Serve Malware
- Tainted downloads used DLL sideloading with CRYPTBASE.dll
- Sophisticated Trojan Deployed, Identified by 20 AV Engines
CPUID.com, a popular PC diagnostic tools website, confirmed that it was compromised and used to distribute malware.
“Investigations are still ongoing, but it appears that a secondary feature (essentially a secondary API) was compromised for approximately six hours between April 9 and 10, causing the main website to randomly display malicious links (our original signed files were not compromised),” the project maintainers said. beepcomputer. “The violation was found and has since been repaired.”
In other words, the software hosted on CPUID was not poisoned: it simply offered different download links. Even so, victims might think they are downloading legitimate software.
Article continues below.
It is not typical malware
Kaspersky researchers discovered that the download links for this software were contaminated:
CPU-Z (version 2.19)
HWMonitor Pro (version 1.57)
HWMonitor (version 1.63)
Performance Monitor (version 2.04)
The modified variants included a legitimate signed executable and a malicious DLL called ‘CRYPTBASE.dll’, used for DLL downloading.
“Malicious DLL is responsible for C2 [command and control] connection and subsequent execution of the payload. Before this, it also performs a series of anti-sandbox checks and if all checks have passed, it connects to the C2 server,” Kaspersky said.
At the same time, researchers from Igor’s Labs and vxunderground said the malware was quite sophisticated.
“When I started poking at this with a stick, I discovered that this is not your typical run-of-the-mill malware,” vxunderground said.
“This malware is deeply trojanized, distributed from a compromised domain (cpuid-dot-com), performs file masquerading, is multi-stage, operates (almost) entirely in memory, and uses some interesting methods to evade EDR and/or AV, such as NTDLL functionality from a .NET assembly.”
The website has since been cleaned up. VirusTotal shows that 20 antivirus engines are currently detecting the malware: some call it “Tedy Trojan”, others “Artemis Trojan”. He seems to be an information thief.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
