• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • January 20th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Cyber Crime
Phishing Scam

FreeMilk Phishing Scam Hijacks Active Email Conversations to Deploy Malware

October 7th, 2017 Waqas Security, Malware, Phishing Scam, Scams and Fraud 0 comments
FreeMilk Phishing Scam Hijacks Active Email Conversations to Deploy Malware
Share on FacebookShare on Twitter

The IT security researchers at Palo Alto Networks Unit 42 have come to know about a new, targeted spear-phishing scheme, which is designed to intercept a genuine on-going email communications between people and starts posing as one of the individuals to install malware.

The scheme has been named FreeMilk while the researchers have claimed that it is a “limited spear-phishing campaign,” which the security firm discovered in May 2017. The scope of this campaign is wide enough as it is targeting users around the world.

According to researchers, this is quite a sophisticated campaign that exploits the CVE-2017-0199 Microsoft Word Office or WordPad Remote Code Execution Vulnerability. The decoy material is intelligently customized as per the recipient while the campaign seems to be a targeted one.

Palo Alto also identified that the spear phishing emails are being sent from a number of compromised email IDs, which are all connected to an authentic domain located in North East Asia. This hints at the fact that the hacker(s) most probably posed as legitimate senders to send infected emails to the recipient. The targeted person would download malicious documents sent through two powerful malware payloads namely PoohMilk and Freenki believing that he/she is still communicating with the individual.

The primary objective of PoohMilk is to execute Freenki downloader while Freenki performs two different tasks; firstly, it collects information about the host, and secondly, it plays the role of a second stage downloader. The malware obtains MAC address, username, active processes and computer name apart from taking screenshots of the targeted system. The information is then transmitted to a C&C server where the attackers receive it and exploit it further to download other malicious software.

In some cases, researchers observed, PoohMilk loader loads the remote administration tool called N1stAgent. This tool was first seen in 2016 as part of a phishing scheme in which infected emails disguised as Hancom’s security patches were sent.

According to a blog post from Palo Alto networks researchers, the attackers have created malware that executes only when “a proper argument is given,” they take control of an active conversation and craft a dedicated decoy documents per conversation, which is based upon the hijacked communication.

“We were not able to identify the second stage malware delivered via Freenki downloader during the campaign,” researchers noted. They did notice C2 infrastructure overlapping in some other cases that are indicated by TALOS, but they are not sure about it as yet.

“We are not conclusive about these connections as the C2 domains were compromised websites and there were several months between the incidents.,” stated the research team.

[fullsquaread][/fullsquaread]

  • Tags
  • Cyber Attack
  • Cyber Crime
  • hacking
  • internet
  • Malware
  • Microsoft
  • Phishing
  • Scam
  • security
  • Technology
Facebook Twitter LinkedIn Pinterest
Previous article Disqus Hacked: 17.5 Million Users Affected
Next article Millions of Accounts From Previous Bitly and Kickstarter Breaches Exposed
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping

Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping

Malwarebytes says it was also breached by SolarWinds hackers

Malwarebytes says it was also breached by SolarWinds hackers

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet
Security

Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

22
Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping
Security

Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping

47
Malwarebytes says it was also breached by SolarWinds hackers
Hacking News

Malwarebytes says it was also breached by SolarWinds hackers

60

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us