Fake Spectre And Meltdown Patches Spread Smoke Loader Malware
A new variant of the Smoke Loader malware has been observed being distributed via fake patches for the Meltdown and Spectre vulnerabilities.
Fraudulent updates are purported to be from the German Federal Office for Information Security have been used as a delivery mechanism for the malware. The patches claim to fix the recent Intel vulnerabilities and as such are likely to receive greater attention by users.
German authorities recently warned about phishing emails trying to take advantage of those infamous bugs.
Once downloaded, the malware injects itself into explorer.exe before communicating with its Command and Control (C2) server to install the latest version of itself. These updated samples are packaged using a different encryption scheme to make detection harder, before being stored in a hidden subfolder.
Smoke Loader will attempt to maintain persistence through the addition of new registry keys and uses partially encrypted code with redundant jumps as an anti-forensics tool. It also performs environment checks to avoid being executed in a controlled environment and will ensure network connection by connecting to various legitimate sites before initiating C2 communications.
Fake Patch
sicherheit-informationstechnik.bid/Download/Sicherheitsupdate/Intel-AMD-SecurityPatch-11-01bsi.zip
Command And Control Servers
Please block the following domains :-
coolwater-ltd-supportid[.]ru localprivat-support[.]ru service-consultingavarage[.]ru sicherheit-informationstechnik[.]bid
Affected Platforms
Microsoft Windows – All versions
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.