What is FreeMilk? Hackers use new phishing campaign to hijack email conversations and deploy malware

Security researchers have discovered a new sneaky targeted spear-phishing campaign used by hackers to intercept ongoing email conversations between individuals and hijack them to deploy malware. Palo Alto Networks Unit 42 researchers said the sophisticated campaign, dubbed FreeMilk, uses the CVE-2017-0199 Microsoft Word Office or WordPad Remote Code Execution Vulnerability with carefully crafted decoy content customised for each target recipient.

In this attack, threat actors intercept a legitimate, ongoing conversation between two recipients and pose as one of them using messages that seem as if the victim is still communicating with the original person they were emailing.

While the target believes that he/she is still contacting the recipient, the threat actor sends phishing emails carrying malicious documents to deliver two malware payloads called PoohMilk and Freenki to infect the targeted system.

PoohMilk's main goal is to run the Freenki downloader. Freenki, on the other hand, has two purposes – to collect host information and to serve as a second-stage downloader.

The malware then collects the host's MAC address, username, computer name and running processes. Freenki is also able to take screenshots of the infected system and send them over to a command server for the threat actors to exploit and download additional malicious software.

In a number of instances, researchers said the PoohMilk loader was used to load N1stAgent, a remote administration tool that was first seen in a phishing campaign in 2016 that used phishing emails disguised as Hancom's security patch.

In August 2016, threat actors attempted to distribute Freeniki using a watering-hole attack on an anti-North Korean government website operated by defectors in the UK.

"The FreeMilk spear phishing campaign is still ongoing, and is a campaign with a limited but wide range of targets in different regions," researchers said.

Using this technique, hackers have been able to infiltrate several networks already, including those of a Middle Eastern bank, European trademark and intellectual services firms, an international sporting organisation and "individuals with indirect ties to a country in North East Asia".

"The threat actor tried to stay under the radar by making malware that only executes when a proper argument is given, hijacked an existing email conversation and carefully crafted each decoy document based on the hijacked conversation to make it look more legitimate," researchers said.

"We were not able to identify the second stage malware delivered via Freenki downloader during the campaign," they added.

The researchers also noticed some C2 infrastructure overlap with other cases mentioned by TALOS and another private researcher.

"However, we are not conclusive about these connections as the C2 domains were compromised websites and there were several months between the incidents," they said.