Smoke Loader Malware Disguised As Spectre / Meltdown Patch

Malwarebytes Labs published an article regarding malware posing as Spectre / Meltdown patches. At the beginning of the year, Google announced three vulnerabilities in the design of most modern day micro processors, commonly referred to as Spectre and Meltdown. Always looking for an angle to infect the unwary, cybercriminals have taken advantage of the major processor vendors telling their customers to download and install patches by supplying malicious patches of their own. German authorities discovered a site listed as "German Federal Office for Information Security" that is currently engaging in a phishing campaign to infect visitors. The site does contain information regarding the Spectre / Meltdown vulnerabilities, but it also has a "patch" available for download. The "patch" is called Intel-AMD-SecurityPatch-11-01bsi.zip and actually contains the executable for Smoke Loader, a malware package that is used to download other malicious malware, stored under the name "Intel-AMD-SecurityPatch-10-1-v1.exe". Once the victim has executed this fake patch, it begins to contact its command and control server for additional instructions.

Malwarebytes quickly contacted Comodo and Cloudflare to inform them of this threat. Cloudflare took the site down within minutes to prevent further infections by the unwary. Malwarebytes also noted that the "Subject Alternative Name " field within the suspicious site SSL certificate listed other domain names that have previously been linked to fake Adobe Flash Player updates.

Indicators of Compromise:
Country

• Germany

Attack Type

• Phishing email leading to fake Spectre / Meltdown patches (Smoke Loader malware)

Estimated Impact

• If infected, Smoke Loader can download and install other malware packages
• System compromise

Indicators of CompromiseSHA-256

• CD17CE11DF9DE507AF025EF46398CFDCB99D3904B2B5718BFF2DC0B01AEAE38C

Domains

• sicherheit-informationstechnik.bid
• coolwater-ltd-supportid.ru
• localprivat-support.ru
• service-consultingavarage.ru

Malware used

• Smoke Loader

Recommendations

• Beware of suspicious, unsolicited emails
• Always download patches / updates from the vendor's site

References

• https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/
• https://www.2-spyware.com/fake-meltdown-and-spectre-patches-deliver-smoke-loader-malware
• IBM Threat Exchange