CPUID Exploited: HWMonitor Downloads Deliver Malware

Recent events have unveiled a troubling security incident affecting visitors to the CPUID website, particularly with downloads for popular tools like HWMonitor and CPU-Z. A malicious attack hijacked a part of the backend, enabling attackers to redirect users to harmful downloads.

Malicious Downloads Linked to CPUID Breach

Between April 9 and April 10, a compromised secondary API linked to the backend allowed malicious links to appear on the main website for approximately six hours. This alarming breach led to users being unknowingly exposed to malware when attempting to download legitimate software.

Warnings from Users

Users expressed concerns on platforms like Reddit when they noticed unusual behavior, such as antivirus alerts triggered by installers or files showing strange names. For instance, a purported HWMonitor 1.63 update was linked to a suspicious file named “HWiNFO_Monitor_Setup.exe,” causing confusion and concern.

Details of the Compromise

• The main software files remained intact and properly signed.
• The breach originated from how downloads were served, not from tampering with the actual software builds.
• CPUID confirmed that investigations are ongoing regarding the compromised API.

In response to the incident, CPUID assured users that the issue has been fixed. However, the company has not disclosed how the breach occurred or how many individuals may have downloaded the malicious files.

Malware Behavior and Risks

Analysis from vx-underground highlighted specific characteristics of the malware. It predominantly targeted users of the 64-bit version of HWMonitor, deploying a fake CRYPTBASE.dll file to blend in with legitimate Windows components. This malicious DLL was designed to connect to a command-and-control server, downloading additional payloads.

Malware Functions

• Operates primarily in memory, reducing the risk of detection.
• Utilizes PowerShell to execute various tasks.
• Injects compiled .NET payloads into other processes.
• Aims to extract browser data, particularly from Google Chrome.

The engagement with Chrome’s IElevation COM interface may allow unauthorized access to stored credentials, raising further concerns over user security.

Conclusion

This incident serves as a critical reminder of the vulnerabilities that can arise in download mechanisms, emphasizing the necessity for enhanced security measures. While CPUID has resolved the issue, the potential risk to users who downloaded malware remains a stark reality. Vigilance and caution when downloading software are essential to prevent falling victim to such attacks.