Security Experts:

Ongoing Email Exchanges Hijacked in Spear-Phishing Attacks

Malicious actors have injected themselves into ongoing email exchanges in highly targeted spear-phishing attacks aimed at entities across the world, Palo Alto Networks said on Thursday.

An ongoing campaign tracked by the security firm since May involves pieces of malware dubbed PoohMilk, Freenki and N1stAgent. The operation has been named FreeMilk by Palo Alto Networks based on strings found in the malware code.

The attacks observed by Palo Alto were aimed at a bank in the Middle East, an international sporting company, a trademark and intellectual property services firm in Europe, and individuals with indirect ties to an unnamed country in Northeast Asia.

The threat group has leveraged malicious Microsoft Word documents set up to exploit the vulnerability tracked as CVE-2017-0199 in an effort to deliver the first-stage loader PoohMilk and the second-stage downloader Freenki. PoohMilk was spotted delivering the remote administration tool (RAT) N1stAgent.

What makes the FreeMilk campaign interesting is the fact that the attackers delivered the malicious documents by injecting themselves into ongoing email exchanges between the main target and another individual. They hacked into that individual’s email account – likely by stealing their credentials – and identified an in-progress email exchange with the main target.

The attacker then sent the target an email that appeared relevant to the conversation with a malicious document attached to it.

“Unlike phishing or even general spear phishing, this is a highly sophisticated, labor intensive, focused attack,” explained Christopher Budd, Senior Threat Communications Manager at Palo Alto Networks.

“Carrying out a successful conversation hijacking spear phishing attack requires knowing someone that the ultimate target is communicating with, compromising that person’s account, identifying an ongoing email conversation with the ultimate target, crafting an email to appear part of that ongoing email conversation and finally sending it. Even then there’s no guarantee of success since the target may somehow recognize the attack or have sufficient prevention controls in place to prevent the attack from succeeding,” Budd added.

Another interesting aspect of the FreeMilk attacks is that all the malware is designed to only execute successfully if a specific argument is provided, which makes it difficult for automated analysis systems to investigate the threat.

The N1stAgent RAT, which has only been spotted in targeted attacks, was first seen in January 2016 when it was delivered via phishing emails referencing a security patch for the South Korean Hangul word processor developed by Hancom.

Palo Alto Networks has not made any statements regarding attribution, but it’s worth noting that attacks involving Hangul vulnerabilities and documents (HWP) have often been linked to North Korea.

The security firm did point to an August 2016 attack aimed at North Korean defectors in the United Kingdom. The attack, which delivered the Freenki malware, was linked at the time to the North Korean regime.

Researchers also discovered some overlaps in command and control (C&C) infrastructure with a campaign involving the ROKRAT RAT analyzed by Cisco Talos, and an attack analyzed last year by a Singapore-based security firm. However, the connection is not conclusive as the C&C domains were compromised sites and the attacks took place several months apart.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.