'This is not your typical run-of-the-mill malware': CPUID download page hacked and tools replaced with links to malicious files

"Investigations are still ongoing, but it appears that a secondary feature (basically a side API) was compromised for approximately six hours between April 9 and April 10, causing the main website to randomly display malicious links (our signed original files were not compromised),” the project’s maintainers told BleepingComputer. The breach was found and has since been fixed."

In other words, the software hosted on CPUID was not poisoned - it was merely serving different download links. Still, victims might think they’re downloading legitimate software.

Not your typical malware

Researchers from Kaspersky found that the download links for this software was tainted:

CPU-Z (version 2.19)
HWMonitor Pro (version 1.57)
HWMonitor (version 1.63)
PerfMonitor (version 2.04)

The modified variants included a legitimate, signed executable and a malicious DLL named 'CRYPTBASE.dll', used for DLL sideloading.

"The malicious DLL is responsible for C2 [command and control] connection and further payload execution. Prior to this, it also performs a set of anti-sandbox checks and, if all the checks have passed, it connects to the C2 server," Kaspersky said.

At the same time, researchers from Igor’s Labs and vxunderground said the malware was rather sophisticated.

“As I began poking this with a stick, I discovered this is not your typical run-of-the-mill malware,” stated vxunderground.

“This malware is deeply trojanized, distributes from a compromised domain (cpuid-dot-com), performs file masquerading, is multi-staged, operates (almost) entirely in-memory, and uses some interesting methods to evade EDRs and/or AVs such as proxying NTDLL functionality from a .NET assembly.”

The website has since been cleaned up. VirusTotal shows that currently 20 antivirus engines are flagging the malware - some call it “Tedy Trojan”, others “Artemis Trojan”. It seems to be an infostealer.