This sneaky phishing attack hijacks your chats to spread malware

Victims of the highly-targeted FreeMilkphishing campaign include a bank, a services firm and an international sporting group.
Image: iStock
Hackers are intercepting legitimate email conversations between individuals and hijacking them to spread malware to corporate networks by using highly-customised phishing messages designed to look as if the victim is still communicating with the person they were originally messaging.
The target still believes they’re in contact with the person they were originally messaging, but in fact they have fallen victim to a highly targeted cyber attack and may have infected their network via a malicious attachment.
Attacks using this technique and have already infiltrated several networks, including those of a Middle Eastern bank, European intellectual services firms, an international sporting organisation and ‘individuals with indirect ties to a country in North East Asia’
Dubbed FreeMilk – after words found in the malware’s code – by the Palo Alto Networks Unit 42 researchers who uncovered the campaign, these attacks have been active since at least May 2017.
The attack leverages CVE-2017-0199, a remote code execution vulnerability in the way Microsoft Office and Wordpad parse specially crafted files – which was subsequently patched in April this year.
The exploit allows attackers to take full control of an infected system – likely through credential theft – then intercept in-progress conversations with specific targets using carefully crafted content designed to fool them into installing malware from what the victim believes to be trusted source.
网络安全法宣传片 002 国家网络安全的现状与重要性概述
Upon successful execution of a FreeMilk phishing attack, two payloads will be installed on the target system – named PoohMilk and Freenki by researchers.
See also: What is phishing? How to protect yourself from scam emails and more
不法份子可能在ATM机键盘上贴假键盘、假ATM机插卡槽,或安装假门禁、微型摄像头儿等窃取银行卡资料和密码。
PoohMilk’s primary objective is to run the Freenki downloader. The purposes of Freenki malware are two-fold – the first is to collect information from the host and the second is to act as a second-stage downloader.
Information collected by the malware include username, computer name, ethernet MAC addresses, and running processes. Freenki can also take screenshots of the infected system, with all the information sent to a command server for the attackers to store and use.
Freenki is also capable of downloading further malware to the infected machine, although researchers have so far been unable to identify any additional payloads being dropped.
While the threat actors behind FreeMilk have yet to be formally identified, Unit 42 notes that the PoohMilk loader tool has previously been used to carry out attacks. One campaign saw it distributed in a phishing campaign which saw emails disguised as a security patch in January 2016.
Attackers also attempted to distribute Freeniki in an August 2016 watering-hole attack on an anti-North Korean government website by defectors in the United Kingdom
While researchers describe the FreeMilk spear phishing campaign as limited in the number of attacks carried out, they note that it has a wide range of targets in different regions across the globe.

But by hijacking legitimate conversations, and specially crafting content, the attackers have a high-chance of successfully infecting the individual within the organisation they’re targeting.
READ MORE ON CYBER CRIMEHow to spot a phishing email [CNET]This cheap and nasty malware wants to steal your dataPhishing is the easiest way to steal sensitive data, hackers say [TechRepublic]Advanced Chinese hacking campaign infiltrates IT service providers across the globeHow these fake Facebook and LinkedIn profiles tricked people into friending state-backed hackers
计算机病毒一般隐藏很深,能伺机进行自我复制,并能够通过网络、存储介质等诸多手段进行传播。计算机病毒传播速度相当快、影响面大。

猜您喜欢

河南一公安楷模将母亲接回家中 却没一天能陪伴
来自互联网公司的真实商业间谍案例让企业安全管理人员无法轻松
Cyber Security Law 网络安全法宣传视频《网络安全法》背景知识
实拍武警救援时被洪水冲走 民众桥上结绳网救人
JEU-GRATUIT PERROS
网络安全意识——社工攻击与信息诈骗防范