CPUID Website Hijacked: Malware Delivered via Trusted Links

This week, visitors to the CPUID website encountered malware after attackers hijacked part of its backend. Trusted tools like HWMonitor and CPU-Z were affected, with users noticing anomalies when antivirus alerts were triggered or when files appeared under suspicious names. For instance, the HWMonitor update was linked to a file named 'HWiNFO_Monitor_Setup.exe,' indicating tampering. CPUID confirmed the breach, attributing it to a compromised backend component rather than the software builds themselves.

The breach involved a secondary API being compromised for about six hours, leading to malicious links being displayed on the main website. Although the original files remained signed and untampered, users who downloaded during this period might have unknowingly received malware. The malicious installer targeted 64-bit HWMonitor users, using a fake CRYPTBASE.dll to blend in with legitimate Windows components and reaching out to a command-and-control server for additional payloads.

The malware operated largely in memory, utilizing PowerShell and compiling a .NET payload on the victim's machine. It also targeted browser data, interacting with Google Chrome's IElevation COM interface to access stored credentials. Analysis suggests this attack is part of a broader campaign, with links to infrastructure used in previous attacks, such as those targeting FileZilla users.

Despite CPUID fixing the issue, details on how the API was accessed or the extent of affected users remain unclear. This incident underscores the vulnerability of download links and the potential for harm without altering the actual code.