Ongoing Email Exchanges Hijacked in Spear-Phishing Attacks


兴业太阳能申请2.6亿美元优先票据在港交所上市
Malicious actors have injected themselves into ongoing email exchanges in highly targeted spear-phishing attacks aimed at entities across the world, Palo Alto Networks said on Thursday.
An ongoing campaign tracked by the security firm since May involves pieces of malware dubbed PoohMilk, Freenki and N1stAgent. The operation has been named FreeMilk by Palo Alto Networks based on strings found in the malware code.
The attacks observed by Palo Alto were aimed at a bank in the Middle East, an international sporting company, a trademark and intellectual property services firm in Europe, and individuals with indirect ties to an unnamed country in Northeast Asia.
The threat group has leveraged malicious Microsoft Word documents set up to exploit the vulnerability tracked as CVE-2017-0199 in an effort to deliver the first-stage loader PoohMilk and the second-stage downloader Freenki. PoohMilk was spotted delivering the remote administration tool (RAT) N1stAgent.
What makes the FreeMilk campaign interesting is the fact that the attackers delivered the malicious documents by injecting themselves into ongoing email exchanges between the main target and another individual. They hacked into that individual’s email account – likely by stealing their credentials – and identified an in-progress email exchange with the main target.
The attacker then sent the target an email that appeared relevant to the conversation with a malicious document attached to it.
“Unlike phishing or even general spear phishing, this is a highly sophisticated, labor intensive, focused attack,” explained Christopher Budd, Senior Threat Communications Manager at Palo Alto Networks.
网银大盗不断变种换代、诡计百出,利用多种途径横行网上、肆虐广大网民;更有甚者,仅仅接收一张图片,就能让你财物两空。
“Carrying out a successful conversation hijacking spear phishing attack requires knowing someone that the ultimate target is communicating with, compromising that person’s account, identifying an ongoing email conversation with the ultimate target, crafting an email to appear part of that ongoing email conversation and finally sending it. Even then there’s no guarantee of success since the target may somehow recognize the attack or have sufficient prevention controls in place to prevent the attack from succeeding,” Budd added.
Another interesting aspect of the FreeMilk attacks is that all the malware is designed to only execute successfully if a specific argument is provided, which makes it difficult for automated analysis systems to investigate the threat.
The N1stAgent RAT, which has only been spotted in targeted attacks, was first seen in January 2016 when it was delivered via phishing emails referencing a security patch for the South Korean Hangul word processor developed by Hancom.
Palo Alto Networks has not made any statements regarding attribution, but it’s worth noting that attacks involving Hangul vulnerabilities and documents (HWP) have often been linked to North Korea.
The security firm did point to an August 2016 attack aimed at North Korean defectors in the United Kingdom. The attack, which delivered the Freenki malware, was linked at the time to the North Korean regime.
Researchers also discovered some overlaps in command and control (C&C) infrastructure with a campaign involving the ROKRAT RAT analyzed by Cisco Talos, and an attack analyzed last year by a Singapore-based security firm. However, the connection is not conclusive as the C&C domains were compromised sites and the attacks took place several months apart.
针对新形势下的新变化——移动设备和应用的普及,组织管理层应尽快制定和更新适合业务需求的信息安全策略。

猜您喜欢

全部新闻动态
来自互联网公司的真实商业间谍案例让企业安全管理人员无法轻松
网络安全法视频宣传片 第二集 国家网络安全的现状与重要性概述
刘永宏公益爱心惠及十万多近视孩子
TRADIOV VINTAGE-PAPERS
浅谈三大安全意识教育培训服务