- CPUID.com briefly compromised to serve malware
- Corrupt downloads were using DLL sideloading with CRYPTBASE.dll
- Sophisticated Trojan deployed, reported by 20 AV engines
CPUID.com, a popular website for PC diagnostic tools, has confirmed that it has been compromised and used to distribute malware.
“Investigations are still ongoing, but it appears that a secondary functionality (essentially a secondary API) was compromised for approximately six hours between April 9 and 10, causing malicious links to appear randomly on the main website (our original signed files were not compromised),” project officials said. BeepComputer. The breach was found and has since been repaired. »
In other words, the software hosted on CPUID was not poisoned: it simply served different download links. However, victims might think they are downloading legitimate software.
Article continues below
This is not typical malware
Kaspersky researchers discovered that the download links for this software were corrupted:
CPU-Z (version 2.19)
HWMonitor Pro (version 1.57)
HWMonitor (version 1.63)
PerfMonitor (version 2.04)
The modified variants included a signed legitimate executable and a malicious DLL named “CRYPTBASE.dll”, used for sideloading the DLL.
“The malicious DLL is responsible for C2 [command and control] connection and subsequent execution of the payload. Before that, it also performs a series of anti-sandbox checks and, if all checks passed, it connects to the C2 server,” Kaspersky said.
At the same time, researchers from Igor’s Labs and vxunderground said the malware was rather sophisticated.
“As I started poking this with a stick, I discovered that this is no ordinary malware,” vxunderground said.
“This malware is deeply trojanized, distributes from a compromised domain (cpuid-dot-com), performs file obfuscation, is multi-stage, runs (almost) entirely in memory, and uses interesting methods to evade EDRs and/or AVs, such as proxying NTDLL functionality from a .NET assembly.”
The website has since been cleaned. VirusTotal shows that currently 20 antivirus engines are reporting the malware – some call it “Tedy Trojan”, others “Artemis Trojan”. It seems to be an information thief.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
