Malware Delivered Through Hacked CPU-Z, HWMonitor Downloads
Recently, a major security breach occurred involving popular software tools from CPUID, specifically CPU-Z and HWMonitor. Hackers gained unauthorized access to the API for the CPUID project and altered essential download links on the official site. This incident led to the distribution of malware disguised as legitimate software.
Key Details of the Incident
According to reports, users who downloaded CPU-Z and HWMonitor during the vulnerable period ended up with a trojanized version of HWiNFO, a competing monitoring tool. The malicious file, named HWiNFO_Monitor_Setup, triggers a suspicious Russian installer.
- Malware Type: Trojanized software
- Malicious File Name: HWiNFO_Monitor_Setup
- Involved Utilities: CPU-Z, HWMonitor, HWiNFO
Timeline of the Breach
The vulnerability lasted approximately six hours, from April 9 at 15:00 UTC to April 10 at 10:00 UTC. During this time, users who attempted to download versions 2.19 of CPU-Z, 1.57 of HWMonitor Pro, and 1.63 of HWMonitor received compromised files.
Malicious Payload and Impact
Research by Kaspersky revealed that attackers not only distributed legitimate executables but also included a harmful DLL named ‘CRYPTBASE.dll’. This DLL facilitated communications with a command and control (C2) server, leading to further payload execution.
Statistics and Affected Users
Over 150 users unwittingly downloaded the compromised versions of CPUID products. The affected parties included individual users and organizations from sectors such as:
- Retail
- Manufacturing
- Consulting
- Telecommunications
- Agriculture
The majority of affected organizations were located in Brazil, Russia, and China. Multiple antivirus engines flagged the malicious software, which some identified as either the Tedy Trojan or the Artemis Trojan.
Response and Remediation
CPUID has acknowledged the breach and confirmed that their signed original files remained unaffected. The company is currently conducting an ongoing investigation into the matter. They stated that when the compromise was detected, the link issue was promptly resolved.
To enhance security measures, CPUID now offers only clean versions of CPU-Z and HWMonitor on their official website. Ongoing monitoring and analysis from cybersecurity researchers continue to assess the implications of this incident, ensuring that users remain protected from potential threats.
