Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Ongoing Email Exchanges Hijacked in Spear-Phishing Attacks

Malicious actors have injected themselves into ongoing email exchanges in highly targeted spear-phishing attacks aimed at entities across the world, Palo Alto Networks said on Thursday.

Malicious actors have injected themselves into ongoing email exchanges in highly targeted spear-phishing attacks aimed at entities across the world, Palo Alto Networks said on Thursday.

An ongoing campaign tracked by the security firm since May involves pieces of malware dubbed PoohMilk, Freenki and N1stAgent. The operation has been named FreeMilk by Palo Alto Networks based on strings found in the malware code.

The attacks observed by Palo Alto were aimed at a bank in the Middle East, an international sporting company, a trademark and intellectual property services firm in Europe, and individuals with indirect ties to an unnamed country in Northeast Asia.

The threat group has leveraged malicious Microsoft Word documents set up to exploit the vulnerability tracked as CVE-2017-0199 in an effort to deliver the first-stage loader PoohMilk and the second-stage downloader Freenki. PoohMilk was spotted delivering the remote administration tool (RAT) N1stAgent.

What makes the FreeMilk campaign interesting is the fact that the attackers delivered the malicious documents by injecting themselves into ongoing email exchanges between the main target and another individual. They hacked into that individual’s email account – likely by stealing their credentials – and identified an in-progress email exchange with the main target.

The attacker then sent the target an email that appeared relevant to the conversation with a malicious document attached to it.

“Unlike phishing or even general spear phishing, this is a highly sophisticated, labor intensive, focused attack,” explained Christopher Budd, Senior Threat Communications Manager at Palo Alto Networks.

“Carrying out a successful conversation hijacking spear phishing attack requires knowing someone that the ultimate target is communicating with, compromising that person’s account, identifying an ongoing email conversation with the ultimate target, crafting an email to appear part of that ongoing email conversation and finally sending it. Even then there’s no guarantee of success since the target may somehow recognize the attack or have sufficient prevention controls in place to prevent the attack from succeeding,” Budd added.

Advertisement. Scroll to continue reading.

Another interesting aspect of the FreeMilk attacks is that all the malware is designed to only execute successfully if a specific argument is provided, which makes it difficult for automated analysis systems to investigate the threat.

The N1stAgent RAT, which has only been spotted in targeted attacks, was first seen in January 2016 when it was delivered via phishing emails referencing a security patch for the South Korean Hangul word processor developed by Hancom.

Palo Alto Networks has not made any statements regarding attribution, but it’s worth noting that attacks involving Hangul vulnerabilities and documents (HWP) have often been linked to North Korea.

The security firm did point to an August 2016 attack aimed at North Korean defectors in the United Kingdom. The attack, which delivered the Freenki malware, was linked at the time to the North Korean regime.

Researchers also discovered some overlaps in command and control (C&C) infrastructure with a campaign involving the ROKRAT RAT analyzed by Cisco Talos, and an attack analyzed last year by a Singapore-based security firm. However, the connection is not conclusive as the C&C domains were compromised sites and the attacks took place several months apart.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.