On most occasions we use the Google search engine to locate all types of information and applications on the Internet. Here we find a series of entries that we can click on, some of them highlighted and promoted by the company itself. However, we cannot always trust these results, or at least their origin.
We tell you all this because an important malicious campaign has just been detected that directly affects a program that has been widely used for years, CPU-Z. In reality, we are referring to a campaign that basically focuses on promoting, through the searches that Google shows us as featured, a malicious version of this application.
This means that the attacker in charge of all this is misusing Google ads for their benefit. All this in order to distribute a malicious version of the tool to view PC hardware, the popular CPU-Z. Its main objective is to distribute the Redline malware that is responsible for stealing all types of information from victims. It is worth mentioning that this new campaign was detected by experts from the security firm Malwarebytes.
In fact, just a few days ago we told you about a similar malicious campaign that used the well-known text editor Notepad++ for these same tasks. Experts at the aforementioned company think that the same backup infrastructure that was used at that time to distribute malicious code is now being used. What’s more, we can affirm that this is not the first time that something similar has happened with this same software solution.
Therefore, the best thing we can do right now is be careful if we plan to download this program that analyzes various components of our computer.
How to avoid falling into the trap when downloading CPU-Z
To give you a better idea of what is happening, the malicious advertisement we found for CPU-Z is hosted on a cloned copy of a legitimate news website. With all this, the attackers want to take advantage of the popularity of this software so that users download it from that cloned website and thus send their malware to the victims’ computers.
Thus, when clicking on the advertisement of the cloned and malicious news website, the link redirects us to another fake website and also tricks Google’s anti-abuse trackers. But in order to avoid greater evils we only have to be attentive to the URL of the supposed news page to which we have accessed to download the program. We will immediately realize that we are on a fake cloned website that we should completely distrust.
And when we click on the download button we receive a digitally signed program installer in MSI format. It contains a malicious PowerShell script that acts as a loader for the FakeBat malware.
What the attacker intends here is to deceive users familiar with these news sites that host download links. Another very useful solution that will allow us to avoid risks is to use the official CPU-Z website if we need to download it at this time.
