Spear-phishers hijack in-progress conversation in highly-targeted attack

News by Rene Millman

Middle-eastern bank, international sporting organisation and Asian individuals were victims of a highly-targeted attack that interrupted an in-progress conversation using compromised credentials.

A spear-phishing campaign has been discovered that launched attacks against a bank based in the Middle East and an international sporting organisation.

According to a blog post by security researchers at Palo Alto Network, the attacks also targeted a trademark and intellectual property service companies based in Europe as well as individuals with indirect ties to a country in North East Asia.

Dubbed “Freemilk” the campaign use the  CVE-2017-0199 Microsoft Word Office/WordPad Remote Code Execution Vulnerability with carefully crafted decoy content customised for each target recipient.

Researchers said that spear-phishing emails came from multiple compromised email accounts tied to a legitimate domain in North East Asia. 

“We believe that the threat actor hijacked an existing, legitimate in-progress conversation and posed as the legitimate senders to send malicious spear-phishing emails to the recipients,” said Juan Cortes and Esmid Idrizovic, security researchers at Palo Alto Network's Unit 42 group.

They said that upon successful exploitation, the malicious document delivered two malware payloads PoohMilk and Freenki. Analysis showed that PoohMilk is the first stage loader. After a successful exploitation, it sets persistence in the registry with the appropriate command line argument to execute the second stage payload, in this case, Freenki.

Researchers added that Freenki has two main purposes. The first is to collect host information and the other is to serve as a second stage downloader. Freenki collects the host's MAC address. 

“This is converted to a hex-string and is appended to each request to its C2 [server]. This value is likely to be used as an ID to identify the victim to the attacker. It is important to note that each request is postfix with an additional identifier followed by the MAC address,” said researchers.

They added that on multiple occasions, they observed the PoohMilk loader being used to load another remote administration tool we call N1stAgent.

“N1stAgent is not widely used and appears to be solely used in targeted attacks. It is well known for its first appearance made in the phishing campaign in January 2016. N1stAgent was delivered via phishing emails disguised as Hancom's security patch,” added researchers.

The researchers said that the FreeMilk spear-phishing campaign is still ongoing, and is a campaign with a limited but wide range of targets in different regions

“The threat actor tried to stay under the radar by making malware that only executes when a proper argument is given, hijacked an existing email conversation and carefully crafted each decoy document based on the hijacked conversation to make it look more legitimate,” the researchers said.

The added that they were  not able to identify the second stage malware delivered via Freenki downloader during the campaign but did notice some C2 infrastructure overlap with other cases previously mentioned by TALOS and a private researcher

“However, we are not conclusive about these connections as the C2 domains were compromised websites and there were several months between the incidents,” they warned.

Liviu Arsene, senior e-threat analyst at Bitdefender, told SC Media that companies need to make sure that access to their domain accounts is restricted and under tight control. Updating all server-side software and services with their latest security updates and patches guarantees that attackers cannot leverage known vulnerabilities to compromise the integrity of those domains.

“Also, an organisation should consider implementing DKIM (DomainKeys Identified Mail) to avoid impersonation attacks. This ensures that the email that passes through the email server is signed, and that signature guarantees that the message contents the recipient gets are the same as what was sent.”

John Wilson, field CTO at Agari, told SC Media UK that Instead of looking for signs of malicious activity, defences should be built around identifying good behaviour

“With the aid of machine learning, it is possible to analyse millions of legitimate emails to build a model of what real, genuine user behaviour should look like. Once a model has been established, potentially malicious activity which deviates from the pattern can be identified – even if the criminals are using new tactics.”

Crime & Threats

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews