SmokeLoader Malware Found Spreading via Fake Meltdown/Spectre Patches

In early January, researchers revealed the technical details of Meltdown and Spectre, two vulnerabilities found in modern CPUs. The researchers said that billions of devices were at risk, allowing malicious apps to access data as it is being processed. While chip makers and vendors were alerted of the threats last year, some of them began work on patches several months ago but waited for a coordinated public disclosure set. Apple, Microsoft, and Google have deployed the necessary patches to prevent further damage from these attacks.

Meltdown affects Intel processors and allows hackers privileged access to parts of a computer memory used by an application or program and the operating system. On the other hand, Spectre affects processors such as Intel, Advanced Micro Devices (AMD), and Advanced RISC Machine (ARM), permitting attackers to steal information in the kernel/cached files or data such as passwords and login keys of running programs stored in the memory.

However, users should be careful when downloading patches as cybercriminals are already taking advantage of the news surrounding Meltdown and Spectre. One type of malware that is targeting German users is the SmokeLoader malware which was spotted following a warning given by German authorities on phishing emails.

These emails come from the German Federal Office for Information Security (BSI). According to researchers, the domain contains an SSL-enabled phishing site that is not affiliated with any legitimate government entity but tricks users into installing malware. The website has a page that links to resources on Meltdown and Spectre, but also contains links to a ZIP archive with malware. Once a user downloads and runs the file, SmokeLoader is installed. It then downloads and runs additional payloads. Researchers also said that the malware attempts to connect to various domains and sends out encrypted information.

Beware of malicious email attachments

In some Business Email Compromise (BEC) attacks, attached files no longer contain executables but HTML pages. Because anti-spam can flag suspicious-looking emails that contain executable files, HTML is harder to detect, as it poses no immediate threat unless the page is verified to be a phishing page. Moreover, phishing pages can easily be coded and deployed and can run on any platform.

While phishing remains one of the oldest scams on the internet, it is still a significant problem for individuals and organizations. In fact, the Phishing Working Group reported that the second quarter of 2016 had the most number of unique phishing sites detected.

There are some things users can do to avoid phishing attacks. These include:

  • Be wary of individuals or organizations that ask for personal information.
  • Verify the sender’s display name when checking the legitimacy of an email.
  • Verify with sources before downloading files, even if they come from seemingly trustworthy sources.
  • Check for mismatched URLs and avoid clicking on any links in emails unless you are certain that it is a legitimate link.
  • Check for grammatical errors or mistakes. Legitimate companies will hire proofreaders and editors to ensure that their material is error-free.
  • Never be intimidated by messages that contain an alarmist tone.
  • Check for signs of a phishing attempt in the email message. A generic subject and greeting could be a sign that it's a phishing email.
  • Enable built-in protection for email clients to filter messages.
  • Take note of any unusual information in the text of the message.
  • If it seems suspicious, there is a good chance it probably is. Avoid sending out personally identifiable information through messages and emails to unverified recipients.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.