Fake Meltdown and Spectre patches deliver Smoke Loader malware

by Gabriel E. Hall - -

Hackers distribute fake Spectre and Meltdown patches to infect computers with Smoke Loader malware

Fraudulent Spectre and Meltdown patches hold Smoke Loader malware

While Meltdown and Spectre vulnerabilities affect almost every computer, criminals decided to benefit by creating fake updates which carry Smoke Loader malware. Currently, German authorities have found a phishing site operating under the name of German Federal Office for Information Security (BSI)[1].

It not only contains information about the consequences of Meltdown and Spectre CPU bugs but also holds a ZIP archive link for the supposed “patch.” Unfortunately, this fraudulent website is not connected to any governmental or legitimate German authorities, and it distributes Smoke Loader malware.

The Intel-AMD-SecurityPatch-11-01bsi.zip archive holds the executable of the SmokeLoader disguising under the name of Intel-AMD-SecurityPatch-10-1-v1.exe. Once opened, it starts its malicious activity — connecting to suspicious domains and sending encrypted information[2].

Even though the experts have already contacted CloudFlare and Comodo about this phishing site and it was eliminated, there are several reports about the malspam campaigns which deliver the same malicious link to the fake Meltdown and Spectre patch[3]. Therefore, users are advised to take precautionary measures to protect their systems.

Reasons why Smoke Loader is a considerably dangerous malware

Like most of the high-risk computer threats, SmokeLoader is able to download additional payloads and hide its presence. At first, it infuses itself to explorer.exe and removes the original executable file. From this point, the explorer starts making new connections.

Furthermore, the malware additionally installs a new version downloaded from the Command-and-Control servers. As a result, the updated virus employs a different crypter and might have the previously mentioned servers changed[4]. Later, it is saved in a hidden %APPDATA% subfolder. Likewise, it is hard to detect the malicious program operating on the victimized system. 

Also, SmokeLoader changes the timestamp of the main executable to avoid being found by searching for recently modified files. If that is not enough, it keeps downloading extra plug-ins to support its malicious activity. It is almost impossible for a regular computer user to identify such cyber threat. Thus, it is crucial raise awareness of how to protect users' systems.

Tips to avoid malware infiltration

First of all, note that criminals often take advantage of popular trends like Spectre and Meltdown bug to trick gullible people into manually infiltrating malware. Likewise, you should carefully monitor your behavior online and avoid visiting suspicious websites or clicking on ads.

Usually, the phishing site or the advertisement is created to look incredible legitimate. However, you should not fall into the trap of the crooks and double-check the file you attempt to download with professional security software. Also, not that even accidental clicks on ads might lead you to malware infection[5]. Thus, stay away from any commercial content online.

Additionally, most of the malicious programs are distributed via spam emails which hold the bogus attachment with the malware. Thus, if you receive a letter from the person you don't know or a company you do not recognize having business with, immediately delete the email. 

Even though the message might seem like coming from a well-known product developer, in most of the cases, it's a fraudulent email. Never click on the suspicious attachments and download software updates only from official authors if you want to protect your system.

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References