SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
9 Oct 2017

This sneaky phishing attack hijacks your chats to spread malware

Hackers are intercepting legitimate email conversations between individuals and hijacking them to spread malware to corporate networks by using highly-customised phishing messages designed to look as if the victim is still communicating with the person they were originally messaging.

The target still believes they're in contact with the person they were originally messaging, but in fact they have fallen victim to a highly targeted cyber attack and may have infected their network via a malicious attachment.

Attacks using this technique and have already infiltrated several networks, including those of a Middle Eastern bank, European intellectual services firms, an international sporting organisation and 'individuals with indirect ties to a country in North East Asia'. Dubbed FreeMilk - after words found in the malware's code - by the Palo Alto Networks Unit 42 researchers who uncovered the campaign, these attacks have been active since at least May 2017.

The attack leverages CVE-2017-0199, a remote code execution vulnerability in the way Microsoft Office and Wordpad parse specially crafted files - which was subsequently patched in April this year. The exploit allows attackers to take full control of an infected system - likely through credential theft - then intercept in-progress conversations with specific targets using carefully crafted content designed to fool them into installing malware from what the victim believes to be trusted source.

Upon successful execution of a FreeMilk phishing attack, two payloads will be installed on the target system - named PoohMilk and Freenki by researchers. PoohMilk's primary objective is to run the Freenki downloader. The purposes of Freenki malware are two-fold - the first is to collect information from the host and the second is to act as a second-stage downloader.

Information collected by the malware include username, computer name, ethernet MAC addresses, and running processes. Freenki can also take screenshots of the infected system, with all the information sent to a command server for the attackers to store and use. Freenki is also capable of downloading further malware to the infected machine, although researchers have so far been unable to identify any additional payloads being dropped.

While the threat actors behind FreeMilk have yet to be formally identified, Unit 42 notes that the PoohMilk loader tool has previously been used to carry out attacks. One campaign saw it distributed in a phishing campaign which saw emails disguised as a security patch in January 2016.

Attackers also attempted to distribute Freeniki in an August 2016 watering-hole attack on an anti-North Korean government website by defectors in the United Kingdom. While researchers describe the FreeMilk spear phishing campaign as limited in the number of attacks carried out, they note that it has a wide range of targets in different regions across the globe.

But by hijacking legitimate conversations, and specially crafting content, the attackers have a high-chance of successfully infecting the individual within the organisation they're targeting.


Download SafeUM — communicate privately, without advertising and spam.

Tags:
fraud information leaks
Source:
ZDNet
1484
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015