Malwarebytes issued an alert that fake Meltdown and Spectre patches are spreading “Smoke Loader Malware”

Fake Meltdown & Spectre patches

By now if you probably have heard of Meltdown and Spectre malware. These malwares exploit a design loophole in Intel, AMD, Radeon chipsets.

The Smoke Loader Malware acts like Kedi Rat in most aspects.

News of the Meltdown and Spectre bugs spread like wildfire & when there is mass panic there is an opportunity for Ravagers. Companies, Websites, Server farms,  and people like you and I immediately took action.

Hackers identified this opportunity and quickly came up with a fake Spectre & Meltdown patch. Which instead of patching things up, installed malware on your system.

Malwarebytes issued a warning about the same & advised that you should install these patches from official websites only.

As of now, these fake patches are only limited to German websites, but the trend will catch on very soon.  These patches are available on SSL sites, making it defrauding the common user as a legitimate site.

The prominent theft that these apps, trojan can make is your data. There are many legitimate apps on playstore that actually steal your data.

In the case study of Malwarebytes, the culprit site is pretending to be an official site for  German Federal Office for Information Security. 

You may also like

11 Biggest Data breach Revealed in 2017, 100% of Yahoo Accounts were hacked

Smoke Loader Malware

Smoke Loader malware is classified as a Trojan, a variant of Dofoil. Microsoft classifies this as a threat of category “Severe”.

Originally the Smoke Loader Trojan is capable of following actions on your system

  • Smoke Loader may copy itself to the Windows startup folders, like
    • <startup folder>\dxdiag.exe
    • <startup folder>\lxdiag.exe
    • <startup folder>\ctfmon.exe
    • <startup folder>\gefreg.exe
  • Some variants of its predecessor Dofoil may copy themselves in the %appdata% folder using system file names
    • %appdata%\csrss.exe
    • %appdata%\smss.exe
  • Smoke Loader will now use the compromised system processes like system32.exe, explorer.exe to download and upload information. So as long as normal system processes are working, your data will be getting uploaded to the attacker’s C & C.

Following are the known servers from which the Dofoil is known to download files, these servers may or may not be the original base of operation. There is also a chance that these servers are themselves infected.

 

  • 01eqyc.com
  • 0bv2ga.com
  • 123getos.tk
  • 3b3estudio.com
  • addimgs.com
  • aman-shhhids.com
  • anub.net
  • averaph.com
  • bgnt.net
  • blpk.net
  • bzsx.net
  • carsero.com
  • demorollz.com
  • derj.net
  • dnsfiarf<obfuscated>ktorylockup.in
  • domialepof.ru
  • elit333.net
  • feelingmoney.com
  • fkhfgfg.tk
  • gme.cz.cc
  • goodtraff.com
  • goodyeartiresisgood.in
  • helplinuxnow.tk
  • hithere.vv.cc
  • hmbpcomanyweb431.com
  • hxlb.net
  • in-in.in
  • interviewbuy.ru
  • kaza.cz.cc
  • linuxhelpnow.tk
  • mailaccaunt1.co.cc
  • mailsystem256.co.cc
  • megasexf<obfuscated>k.com
  • mialedot.ru
  • mialepromo.ru
  • miminoprost.net
  • minakala.com
  • msantispam-srv2.com
  • myldrpanel.com
  • news-banner-net.com
  • oemsoftbox.com
  • passportu.cn
  • phe-phe.com
  • plyx.net
  • polidoli200.com
  • popirosa.tk
  • porohh.net
  • profmiale.ru
  • pytt.net
  • sacv.net
  • sancan.in
  • searchgood.net
  • searchnew.net
  • ssn-much.com
  • suhont.com
  • summer-ciprys.com
  • system16286.in
  • systemupdatewins.in
  • teonflex1.tk
  • thedomonisterioster.info
  • traffic-send-poli.in
  • tynv.net
  • ventoushd.net
  • www.capodeicapi.eu
  • www.helplinuxnow.org
  • xyxyxy.ru
  • yostat100.ru
  • zastolbis.ru
  • zdesestvareznezahodi.com
  • znakomie10.ru

 

Keep yourself updated with latest developments of Tech world, follow Techscoop.in on FacebookTwitter and Google+.

See Also

Top 6 Google Search Hacks of 2017

Comments

comments

Load More Related Articles
Load More By Sushant Bhargav
Load More In Tech News

Check Also

Remote Rowhammer Attack can control Computers & Androids using Network Packets.

What is Rowhammer Attack? A Rowhammer Attack is a very systematic approach to exploit a bu…