IT security researchers at Palo Alto Networks have discovered a new spear-phishing campaign that intercepts an active conversation and hijacks them to spread malware using highly-customised emails designed to look as if they are coming from the original sender. The malware dubbed as FreeMilk is used by the hackers to infiltrate the computers using malicious codes and retrieve confidential information without even getting noticed. The attack leverages CVE-2017-0199, a remote code execution vulnerability in the way Microsoft Office and Wordpad parse specially crafted files – which was subsequently patched in April this year.
How does FreeMilk affect the victim's system?
Upon successful execution of a FreeMilk phishing attack, two payloads named PoohMilk and Freenkin gets installed on the targeted system. PoohMilk's primary motive is to run the Freenki downloader. Freenki, on the other hand, performs two different task – the first is to collect information from the host and the second is to act as a second-stage downloader which further downloads sophisticated malware.
Information collected by the malware include username, computer name, ethernet MAC addresses, and running processes. Besides this, Freenki can take screenshots of the victim's system, with all the information sent to a command server for the attackers to store and use.
Who is behind FreeMilk?
As of now the actors behind this attack have not been identified. However, the security researchers have found out that “PoohMilk” tool has been previously used in January 2016 in which the phishing emails were disguised as a security patch. Attackers also attempted to distribute “Freeniki” in an August 2016 watering-hole attack on an anti-North Korean government website by defectors in the United Kingdom
How does FreeMilk affect India?
Due to the massive number of inactive, un-patched and outdated windows machines especially in the government & small-medium scale organisations, these series of attacks can be serious for India. All machines that aren't updated with the patch that was released in April are at a severe risk and can aid cyber criminals and state actors in gaining access to even the most sophisticated networks.
“Freemilk is exploiting the CVE-2017-0199 vulnerability in Windows which was patched in April 2017. Therefore, ensure that any computer that has not been patched since before April, 2017 is not allowed to go on your the network,” said Comments from Ankush Johar, Director at HumanFirewall.io, a leading provider of human information security awareness and preparedness solutions.
Users can patch their computers using the official security update if not done already from – https://support.microsoft.com/en-us/help/3141538/description-of-the-security-update-for-office-2010-april-11-2017.
General hygiene for protection from FreeMilk phishing scam
Defending against this kind of attack is rather simple. Following are some key points.
For home users
* Use the latest Operating System.
* Make sure automatic updates are enabled, and downloaded regularly.
* Ensure Firewall is enabled to block all network based attacks.
* Never Click/Download anything on Emails from untrusted sources. Make sure the mail is from a trusted party, only then download the attachments.
* Use a proper, regularly updated Antivirus.
For organisations
* Latest patches must instantly be deployed across the company.
* All pirated / un-patched / outdated devices to be removed (read unplugged) from the network instantly.
* Employees to be trained to detect and protect against Phishing and other such scams.
* Antiviruses ensured to be in place and updated.
