A new phishing scam dubbed “Freemilk” hijacks active email conversations to deploy malware. India is at high risk due to the increased number of unpatched machines.
IT security researchers have discovered a new spear-phishing campaign that intercepts an active conversation and hijacks them to spread malware using highly-customised emails designed to look as if they are coming from the original sender.
The malware dubbed as “FreeMilk” is used by the hackers to infiltrate the computers using malicious codes and retrieve confidential information without even getting noticed.
The attack leverages CVE-2017-0199, a remote code execution vulnerability in the way Microsoft Office and Wordpad parse specially crafted files – which was subsequently patched in April this year.
How does FreeMilk affect the victim’s system?
Upon successful execution of a FreeMilk phishing attack, two payloads named PoohMilk and Freenkin gets installed on the targeted system
PoohMilk’s primary motive is to run the Freenki downloader. Freenki, on the other hand, performs two different task -the first is to collect information from the host and the second is to act as a second-stage downloader which further downloads sophisticated malware.
Information collected by the malware include username, computer name, ethernet MAC addresses, and running processes. Besides this, Freenki can take screenshots of the victim’s system, with all the information sent to a command server for the attackers to store and use.
Who is behind this?
As of now, the actors behind this attack have not been identified. However, the security researchers have found out that “PoohMilk” tool has been previously used in January 2016 in which the phishing emails were disguised as a security patch.
Attackers also attempted to distribute “Freeniki” in an August 2016 watering-hole attack on an anti-North Korean government website by defectors in the United Kingdom
How does this affect India?
Due to the massive number inactive, unpatched and outdated windows machines especially in the government & small-medium scale organisations, these series of attacks can be deadly for India. All machines that aren’t updated with the patch that was released in April are at a severe risk and can aid cyber criminals and state actors in gaining access to even the most sophisticated networks.