Smoke Loader: Fake Meltdown and Spectre patches found infecting PCs with malicious new malware

As technology giants and users scramble to address the critical Meltdown and Spectre vulnerabilities affecting nearly every modern CPU worldwide, hackers have been found deploying fake patches to distribute malicious malware called Smoke Loader. While some patches have not behaved as expected, Malwarebytes researchers have identified a website that purports to offer detailed information about the flaws and how it affects users.

The SSL-enabled phishing site "sicherheit-informationstechnik.bid" targets German users and is designed to look like it's managed by the German Federal Office for Information Security (BSI). The phony website also includes a link to a ZIP archive that claims to contain the patch for the recently disclosed vulnerabilities.

However, the so-called patch "Intel-AMD-SecurityPatch-10-1-v1.exe" is actually laced with malware.

"Upon running it, users will infect themselves with Smoke Loader, a piece of malware that can retrieve additional payloads," lead malware intelligence analyst Jerome Segura wrote in a blog post.

Once the malicious payload is downloaded and run on the infected system, the file attempts to connect to various domains, load other payloads and send encrypted information, he said.

"The Subject Alternative Name field within the abused SSL certificate shows other properties associated with the .bid domain, including one that is a German template for a fake Adobe Flash Player update."

Malwarebytes notified Comodo and Cloudflare about the phony website which was then taken offline within minutes.

Segura says hackers are constantly looking to take advantage of anxious users, particularly during widely publicised events, using phishing attacks. German authorities have already warned users to be wary of phishing emails involving the much-discussed Meltdown and Spectre bugs.

"This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise," he wrote. "It's always important to be cautious, especially when urged to perform an action (i e calling Microsoft on a toll-free number, or updating a piece of software) because there's a chance that such requests are fake and intended to either scam you or infect your computer.

"There are very few legitimate cases when vendors will directly contact you to apply updates. If that is the case, it's always good to verify this information via other online resources or friends first."

He also warned that websites using HTTPS may not always be necessarily trustworthy or safe.

"The presence of a certificate simply implies that the data that transits between your computer and the site is secure, but that has nothing to do with the intentions or content offered, which could be a total scam," he added.