No, this is not a dairy product being used in the latest phishing campaigns by threat actors. However, it is a newly discovered spear-phishing campaign where attackers intercept an ongoing e-mail conversation, such as in a Man-in-the-Middle (MitM) attack, however in this case the threat actors pose as one of the conversation participants in order to trick the other party in the conversation into downloading malware. Palo-Alto Network’s Unit 42 discovered the new campaign and are now calling it “FreeMilk”. FreeMilk exploits a known Microsoft remote code execution vulnerability (CVE-2017-0199), where it is able to customize and deploy a decoy to each target. The threat actors, first intercepts an e-mail conversation and making the target believe that he or she is still conversing with the original person, at that time the threat actors are able to send malicious phishing attachments which contains two malware payloads called “PoohMilk” and “Freenki”. PoohMilk’s function is to run the Freenki downloader, while Freenki is able to collect recon information on the targeted system, which includes MAC addresses, usernames, computer names and processes that could be running on the victim’s computer system. Freenki is also capable of taking screenshots and sending them to remote command-and-control (C&C) servers, so that the threat actors are able to exploit and download additional malicious software. Redport’s IA, LLC’s CEO, Mr. Steve Reinkemeyer states that the FreeMilk campaign has been continuous and ongoing. The campaign has been observed targeting a very wide range of victims located in various regions. At this time there really isn’t a mitigation strategy that can be deployed. However, it is up to users and system administrator’s to stay abreast of the threat and to keep their systems up to date with vulnerability patches such as the ones listed on Microsoft’s security site.

By Dr. Randall Sylvertooth

Sources:
http://www.ibtimes.co.uk/what-freemilk-hackers-use-new-phishing-campaign-hijack-email-conversations-deploy-malware-1642221
https://support.microsoft.com/en-us/products/security


For more information about Redport’s information assurance and cyber security services, visit www.redport-ia.com, email us at info@redport-ia.com, like us on Facebook, and follow us on Twitter@redport_ia.

Gaithersburg, MD, USA