This sneaky phishing attack hijacks your chats to spread malware

Victims of the highly-targeted FreeMilkphishing campaign include a bank, a services firm and an international sporting group.
Image: iStock
Hackers are intercepting legitimate email conversations between individuals and hijacking them to spread malware to corporate networks by using highly-customised phishing messages designed to look as if the victim is still communicating with the person they were originally messaging.

The target still believes they’re in contact with the person they were originally messaging, but in fact they have fallen victim to a highly targeted cyber attack and may have infected their network via a malicious attachment.
网络无国界,互联网安全需要各国协同配合,轻率根据源IP地址就断定和指责他国的入侵行为是很不够负责的言论。
Attacks using this technique and have already infiltrated several networks, including those of a Middle Eastern bank, European intellectual services firms, an international sporting organisation and ‘individuals with indirect ties to a country in North East Asia’
Dubbed FreeMilk – after words found in the malware’s code – by the Palo Alto Networks Unit 42 researchers who uncovered the campaign, these attacks have been active since at least May 2017.
The attack leverages CVE-2017-0199, a remote code execution vulnerability in the way Microsoft Office and Wordpad parse specially crafted files – which was subsequently patched in April this year.
The exploit allows attackers to take full control of an infected system – likely through credential theft – then intercept in-progress conversations with specific targets using carefully crafted content designed to fool them into installing malware from what the victim believes to be trusted source.
Upon successful execution of a FreeMilk phishing attack, two payloads will be installed on the target system – named PoohMilk and Freenki by researchers.
See also: What is phishing? How to protect yourself from scam emails and more
PoohMilk’s primary objective is to run the Freenki downloader. The purposes of Freenki malware are two-fold – the first is to collect information from the host and the second is to act as a second-stage downloader.
Information collected by the malware include username, computer name, ethernet MAC addresses, and running processes. Freenki can also take screenshots of the infected system, with all the information sent to a command server for the attackers to store and use.
Freenki is also capable of downloading further malware to the infected machine, although researchers have so far been unable to identify any additional payloads being dropped.
While the threat actors behind FreeMilk have yet to be formally identified, Unit 42 notes that the PoohMilk loader tool has previously been used to carry out attacks. One campaign saw it distributed in a phishing campaign which saw emails disguised as a security patch in January 2016.
Attackers also attempted to distribute Freeniki in an August 2016 watering-hole attack on an anti-North Korean government website by defectors in the United Kingdom
While researchers describe the FreeMilk spear phishing campaign as limited in the number of attacks carried out, they note that it has a wide range of targets in different regions across the globe.
防范军事间谍活动
But by hijacking legitimate conversations, and specially crafting content, the attackers have a high-chance of successfully infecting the individual within the organisation they’re targeting.
READ MORE ON CYBER CRIMEHow to spot a phishing email [CNET]This cheap and nasty malware wants to steal your dataPhishing is the easiest way to steal sensitive data, hackers say [TechRepublic]Advanced Chinese hacking campaign infiltrates IT service providers across the globeHow these fake Facebook and LinkedIn profiles tricked people into friending state-backed hackers
公司应该对信息系统的运行维护负责,保持运行维护控制力。加强安全入侵检测监控,进行风险评估与安全扫描,及时发现并处置安全事件。

猜您喜欢

福利金融与广州华南信息安全测评中心正式签署全年安全服务合同
来自互联网公司的真实商业间谍案例让企业安全管理人员无法轻松
网络安全法视频宣传片 第二集 国家网络安全的现状与重要性概述
解放个性 Jeep Trailpass概念车解析
TOVE-LO ROSWELLAREAHOMES
来自互联网公司的真实商业间谍案例让企业安全管理人员无法轻松