The Smoke Loader malware is another example of attackers using the hype of a major vulnerability to target victims.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- A fake patch for the Intel Spectre and Meltdown chip flaws is actually a front for a malware called Smoke Loader.
- The patch, which claims to come from the German Federal Office for Information Security, is an example of attackers using social engineering in the wake of a high-profile vulnerability to exploit more users.
A fake patch for the massive Spectre and Meltdown chip flaws is actually a front for a piece of malware called Smoke Loader. A fake website that claims to be part of the German Federal Office for Information Security (BSI) is associated with Smoke Loader, according to a Malwarebytes blog post.
In recent years, social engineering efforts by cyber criminals have leveraged headline-grabbing issues in an attempt to infect users. This is especially true of high-profile vulnerabilities. Fake patches and fixes were rampant after the critical WannaCry ransomware attack, so it was only a matter of time before Spectre and Meltdown were used by criminals too.
The fake patch seems aimed at German users, and German authorities warned citizens of such phishing attempts in a post urging users not to open emails with subject lines such as "Critical vulnerability - important update," claiming that it was part of a "spam wave" seeking to exploit users.
SEE: System update policy (Tech Pro Research)
Once a user is directed to the fake site, the Malwarebytes post said, they will find a download link to a ZIP archive titled Intel-AMD-SecurityPatch-11-01bsi.zip. This contains a "so-called patch (Intel-AMD-SecurityPatch-10-1-v1.exe), which really is a piece of malware," the post said.
If a user were to download and run the fake patch, they'd be infected with the Smoke Loader malware. Smoke Loader can retrieve additional payloads, and traffic analyzed by Malwarebytes seems to show it trying to connect to other domains and send encrypted data.
It may also be associated with a fake Adobe Flash Player update, the post noted.
Malwarebytes said in the post that it had reached out to Comodo and CloudFlare regarding the issues, and that Cloudflare has worked to keep the malicious site from resolving.
According to Malwarebytes, this particular threat is interesting because it encourages users to download a patch (which usually solves a security problem), and because the site uses HTTPS. But HTTPS isn't always a sign of a safe website, the post said.
"The presence of a certificate simply implies that the data that transits between your computer and the site is secure, but that has nothing to do with the intentions or content offered, which could be a total scam," the post said.
Additionally, users should always take caution when a particular website or email encourages a specific action, as it is very rare that a company will reach out to victims, via their personal email, to apply a patch.
- IT pro's guide to effective patch management (free PDF) (TechRepublic)
- Critical flaws revealed to affect most Intel chips since 1995 (ZDNet)
- Ransomware: A cheat sheet for professionals (TechRepublic)
- MaMi malware targets Mac OS X DNS settings (ZDNet)
- Massive Intel CPU flaw: Understanding the technical details of Meltdown and Spectre (TechRepublic)