Cyber-criminals are using interest in the recent Meltdown and Spectre chip vulnerabilities to trick users into downloading malware disguised as security patches, according to Malwarebytes.
The SSL-enabled phishing site is spoofed to look like one managed by the German Federal Office for Information Security (BSI), explained the vendor’s lead malware intelligence analyst, Jérôme Segura.
This fake domain links to a ZIP archive which appears to contain a patch for the recently disclosed chip flaws (Intel-AMD-SecurityPatch-10-1-v1.exe) but is in fact malware.
“Upon running it, users will infect themselves with Smoke Loader, a piece of malware that can retrieve additional payloads. Post-infection traffic shows the malicious file attempting to connect to various domains and sending encrypted information,” Segura explained.
“The Subject Alternative Name field within the abused SSL certificate shows other properties associated with the .bid domain, including one that is a German template for a fake Adobe Flash Player update.”
Thanks to a speedy response to Malwarebytes from CloudFlare, the site was effectively take out of action.
“There are very few legitimate cases when vendors will directly contact you to apply updates. If that is the case, it’s always good to verify this information via other online resources or friends first,” Segura warned.
He added that users should not trust sites just because they are protected with HTTPS.
“The presence of a certificate simply implies that the data that transits between your computer and the site is secure, but that has nothing to do with the intentions or content offered, which could be a total scam,” he explained.
The issue spotted by Malwarebytes has been flagged by the German authorities, but similar tactics could be used to trick users in other countries.
This all comes amid existing challenges for IT administrators surrounding the legitimate patches that have been released so far to mitigate Meltdown and Spectre.
Microsoft warned that an emergency fix it issued in the first week of January was incompatible with some AV tools and may even cause Blue Screen of Death errors on affected machines.