CPU-Z and HWMonitor Downloads Compromised, Distributing STX RAT

CPUID.com, a popular host for hardware monitoring utilities, was briefly compromised and used to distribute a remote access trojan (RAT) known as STX RAT. The incident, which lasted for less than 24 hours, saw attackers replace legitimate download links for widely used software like CPU-Z and HWMonitor with malicious executables.

The breach occurred between approximately 15:00 UTC on April 9 and 10:00 UTC on April 10. During this period, users attempting to download CPU-Z and HWMonitor from the official CPUID website were inadvertently directed to malicious sites. These sites then served trojanized versions of the software installers, embedding the STX RAT.

CPUID, the company behind these popular tools, confirmed the security incident via a statement on X (formerly Twitter). The company attributed the compromise to a breach in a “secondary feature (basically a side API)” which then led to the main website intermittently displaying malicious links. Importantly, CPUID has stated that the attack did not affect the integrity of their digitally signed original software files.

Details of the STX RAT Distribution

The attackers exploited a vulnerability in a less prominent aspect of the CPUID website, a secondary API, to redirect users. This allowed them to serve tainted installers for CPU-Z and HWMonitor, two of the most downloaded tools from the site. These tainted installers contained the STX RAT, a type of malware designed to grant attackers remote control over an infected system. The STX RAT can typically be used to steal sensitive information, monitor user activity, and provide backdoor access for further malicious operations.

The fact that the attack targeted downloads of legitimate software highlights a common tactic used by threat actors. By masquerading malware within trusted applications, attackers aim to bypass security measures and gain user trust, increasing the likelihood of successful infection. Users who downloaded software from CPUID.com during the specified timeframe are strongly advised to scan their systems for any signs of compromise and to re-download the latest, legitimate versions of their hardware monitoring tools directly from the vendors.

CPUID has since secured its systems and is working to ensure the integrity of its download services. The company’s swift confirmation and explanation, alongside assurance that original signed files were not impacted, provides some reassurance to its user base. However, the incident serves as a stark reminder of the persistent threat posed by supply chain attacks, where legitimate platforms are subverted to deliver malware.

Editor Analysis

This incident underscores the critical importance of supply chain security in the software distribution ecosystem. Even seemingly niche or secondary features of a website can become a vector for attack if not adequately protected. The compromise of CPUID.com, a trusted source for essential system utilities, highlights how attackers are constantly seeking out vulnerabilities to exploit. The swift and transparent communication from CPUID is commendable, particularly their assurance regarding the integrity of signed executables, which can help mitigate some of the immediate risk to users who may have downloaded the tainted software. However, the inherent nature of RATs means that systems infected during the breach may already be compromised in ways not immediately apparent. Users must remain vigilant, practice good cybersecurity hygiene, and be cautious of download sources, even those traditionally considered safe.