Spear-phishing via Hijacked Email Conversations

Researchers at Palo Alto Networks identified a new spear-phishing campaign, dubbed “FreeMilk.” In this campaign, threat actors intercept the ongoing email conversation between two parties and impersonate one of the parties, sending the other messages containing malicious documents. These documents exploit CVE-2017-0199, a Microsoft Word Office/WordPad remote code execution vulnerability, to deliver two malware payloads for “PoohMilk” and the “Freenki” downloader. PoohMilk runs the Freenki downloader which collects host information, takes screenshots, and serves as a second-stage downloader. In several cases, PoohMilk was used to load the N1stAgent remote access trojan (RAT). Researchers have not yet identified the second-stage malware delivered by the Freenki downloader. This campaign is ongoing and has targeted a number of organizations, including a Middle Eastern bank, European trademark and intellectual services firms, an international sporting organization, and individuals with ties to a North East Asian nation. The NJCCIC recommends users and administrators review the Palo Alto Networks report, apply the necessary update to mitigate the CVE-2017-0199 vulnerability if they have not already done so, and educate end users about this and similar threats. Additionally, if end users have received and taken action on these emails, be sure to run updated antivirus software on the system to detect and remove the associated malware, change passwords for accounts accessed on the infected system, and enable two-factor authentication, where available.