The IT security researchers at Palo Alto Networks Unit 42 have come to know about a new, targeted spear-phishing scheme, which is designed to intercept a genuine on-going email communications between people and starts posing as one of the individuals to install malware.
The scheme has been named FreeMilk while the researchers have claimed that it is a “limited spear-phishing campaign,” which the security firm discovered in May 2017. The scope of this campaign is wide enough as it is targeting users around the world.
According to researchers, this is quite a sophisticated campaign that exploits the CVE-2017-0199 Microsoft Word Office or WordPad Remote Code Execution Vulnerability. The decoy material is intelligently customized as per the recipient while the campaign seems to be a targeted one.
Palo Alto also identified that the spear phishing emails are being sent from a number of compromised email IDs, which are all connected to an authentic domain located in North East Asia. This hints at the fact that the hacker(s) most probably posed as legitimate senders to send infected emails to the recipient. The targeted person would download malicious documents sent through two powerful malware payloads namely PoohMilk and Freenki believing that he/she is still communicating with the individual.
The primary objective of PoohMilk is to execute Freenki downloader while Freenki performs two different tasks; firstly, it collects information about the host, and secondly, it plays the role of a second stage downloader. The malware obtains MAC address, username, active processes and computer name apart from taking screenshots of the targeted system. The information is then transmitted to a C&C server where the attackers receive it and exploit it further to download other malicious software.
In some cases, researchers observed, PoohMilk loader loads the remote administration tool called N1stAgent. This tool was first seen in 2016 as part of a phishing scheme in which infected emails disguised as Hancom’s security patches were sent.
According to a blog post from Palo Alto networks researchers, the attackers have created malware that executes only when “a proper argument is given,” they take control of an active conversation and craft a dedicated decoy documents per conversation, which is based upon the hijacked communication.
“We were not able to identify the second stage malware delivered via Freenki downloader during the campaign,” researchers noted. They did notice C2 infrastructure overlapping in some other cases that are indicated by TALOS, but they are not sure about it as yet.
“We are not conclusive about these connections as the C2 domains were compromised websites and there were several months between the incidents.,” stated the research team.