Organizations around the world have fallen victim to a highly-targeted phishing campaign which intercepts ongoing email threads to customize messages and spread malware.
Hackers are intercepting legitimate email conversations between individuals and hijacking them to spread malware to corporate networks by using highly-customized phishing messages designed to look as if the victim is still communicating with the person they were originally messaging.
The target still believes they’re in contact with the person they were originally messaging, but in fact they have fallen victim to a highly targeted cyber attack and may have infected their network via a malicious attachment.
Attacks using this technique and have already infiltrated several networks, including those of a Middle Eastern bank, European intellectual services firms, an international sporting organization and ‘individuals with indirect ties to a country in North East Asia’
Dubbed FreeMilk – after words found in the malware’s code – by the Palo Alto Networks Unit 42 researchers who uncovered the campaign, these attacks have been active since at least May 2017.
The attack leverages CVE-2017-0199, a remote code execution vulnerability in the way Microsoft Office and Wordpad parse specially crafted files – which was subsequently patched in April this year.
The exploit allows attackers to take full control of an infected system – likely through credential theft – then intercept in-progress conversations with specific targets using carefully crafted content designed to fool them into installing malware from what the victim believes to be trusted source.
Upon successful execution of a FreeMilk phishing attack, two payloads will be installed on the target system – named PoohMilk and Freenki by researchers.
PoohMilk’s primary objective is to run the Freenki downloader. The purposes of Freenki malware are two-fold – the first is to collect information from the host and the second is to act as a second-stage downloader.
Information collected by the malware include username, computer name, ethernet MAC addresses, and running processes. Freenki can also take screenshots of the infected system, with all the information sent to a command server for the attackers to store and use.
Freenki is also capable of downloading further malware to the infected machine, although researchers have so far been unable to identify any additional payloads being dropped.
While the threat actors behind FreeMilk have yet to be formally identified, Unit 42 notes that the PoohMilk loader tool has previously been used to carry out attacks. One campaign saw it distributed in a phishing campaign which saw emails disguised as a security patch in January 2016.
Attackers also attempted to distribute Freeniki in an August 2016 watering-hole attack on an anti-North Korean government website by defectors in the United Kingdom
While researchers describe the FreeMilk spear phishing campaign as limited in the number of attacks carried out, they note that it has a wide range of targets in different regions across the globe.
But by hijacking legitimate conversations, and specially crafting content, the attackers have a high-chance of successfully infecting the individual within the organization they’re targeting.