Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Fake Meltdown/Spectre Patch Installs Malware

Cybercriminals are already taking advantage of the massive attent

Cybercriminals are already taking advantage of the massive attention the recently detailed Meltdown and Spectre CPU flaws have received, in an attempt to trick users into installing malware instead, Malwarebytes warns.

Made public in early January, Meltdown and Spectre are two new side-channel attack methods against modern processors and are said to impact billions of devices. Based on vulnerabilities at the CPU level, the flaws allow malicious apps to access data as it is being processed, including passwords, photos, documents, emails, and the like.

Chip makers and vendors were alerted on the bugs last year, and some started working on patches for their users several months ago, but waited for a coordinated public disclosure set for last week. Apple, Microsoft, Google, Canonical, and IBM are just a few of the vendors that have already deployed patches.

Soon after the patches began rolling out, however, attacks taking advantage of the Meltdown/Spectre fever surfaced. One of them, Malwarebytes reports, is targeting German users with the SmokeLoader malware.

The attack was spotted soon after the German authorities issued a warning on phishing emails trying to take advantage of infamous bugs started to appear.

The emails appeared to come from the German Federal Office for Information Security (BSI), and Malwarebytes discovered a domain that also posed as the BSI website. Recently registered, the SSL-enabled phishing site isn’t affiliated with a legitimate or official government entity, but attempts to trick users into installing malware.

The website is offering an information page that supposedly provides links to resources about Meltdown and Spectre, bug also links to a ZIP archive (Intel-AMD-SecurityPatch-11-01bsi.zip) that contains malware instead of the promised security patch.

Once a user downloads and runs the file, the SmokeLoader malware, which is capable of downloading and running additional payloads, is installed. The security researchers have observed the threat attempting to connect to various domains and sending encrypted information.

By analyzing the SSL certificate used by the fraudulent domain, the security researchers discovered other properties associated with the .bid domain, including a German template for a fake Adobe Flash Player update.

The security researchers have already contacted Comodo and CloudFlare to report the fraudulent website, and the domain stopped resolving within minutes after CloudFlare was informed on the issue.

“Online criminals are notorious for taking advantage of publicized events and rapidly exploiting them, typically via phishing campaigns. This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise,” Malwarebytes concludes.

Related: Microsoft Patches for CPU Flaws Break Windows, Apps

Related: Meltdown Patch Broke Some Ubuntu Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.