A technique called FreeMilk has been used by hackers to hijack email conversations

Security researchers from Palo Alto Networks Unit 42 have discovered a new complex technique that has been used by hackers to hijack on-going email conversations to inject malicious documents that seem to be originating from a legal source and affect other targets sharing the same conversational thread.

The campaign has been called FreeMilk and the researchers have claimed that it is a “limited spear-phishing campaign,” which the Palo Alto researchers found in May 2017. The extent of this campaign is wide enough as it is targeting users around the world.

According to researchers:
“The threat actor leveraged the CVE-2017-0199 Microsoft Word Office/WordPad Remote Code Execution Vulnerability with carefully crafted decoy content customized for each target recipient. Our research showed that the spear phishing emails came from multiple compromised email accounts tied to a legitimate domain in North East Asia.”

The main goal of FreeMilk is to execute Freenki downloader while Freenki performs two separate tasks; firstly, it collects data about the host, and also, it plays the role of a second stage downloader. The malware collects MAC address, username, active processes and machine name apart from taking screenshots of the targeted system. The data is then sent to a C&C server where the hackers receive it and exploit it further to download other malicious software.

Security researchers from Palo Alto Networks Unit 42 have discovered a new complex technique that has been used by hackers to hijack on-going email conversations to inject malicious documents that seem to be originating from a legal source and affect other targets sharing the same conversational thread.

The campaign has been called FreeMilk and the researchers have claimed that it is a “limited spear-phishing campaign,” which the Palo Alto researchers found in May 2017. The extent of this campaign is wide enough as it is targeting users around the world.

According to researchers:
“The threat actor leveraged the CVE-2017-0199 Microsoft Word Office/WordPad Remote Code Execution Vulnerability with carefully crafted decoy content customized for each target recipient. Our research showed that the spear phishing emails came from multiple compromised email accounts tied to a legitimate domain in North East Asia.”

The main goal of FreeMilk is to execute Freenki downloader while Freenki performs two separate tasks; firstly, it collects data about the host, and also, it plays the role of a second stage downloader. The malware collects MAC address, username, active processes and machine name apart from taking screenshots of the targeted system. The data is then sent to a C&C server where the hackers receive it and exploit it further to download other malicious software.

Related posts

ANY.RUN Discovers Tricky Phishing Attack Using Fake CAPTCHA

Kia Dealer Portal Vulnerability Risked Millions of Cars

Latest Octo Malware Variant Mimics Popular Apps Like NordVPN, Chrome