Security Experts:

Connect with us

Hi, what are you looking for?



Ongoing Email Exchanges Hijacked in Spear-Phishing Attacks

Malicious actors have injected themselves into ongoing email exchanges in highly targeted spear-phishing attacks aimed at entities across the world, Palo Alto Networks said on Thursday.

Malicious actors have injected themselves into ongoing email exchanges in highly targeted spear-phishing attacks aimed at entities across the world, Palo Alto Networks said on Thursday.

An ongoing campaign tracked by the security firm since May involves pieces of malware dubbed PoohMilk, Freenki and N1stAgent. The operation has been named FreeMilk by Palo Alto Networks based on strings found in the malware code.

The attacks observed by Palo Alto were aimed at a bank in the Middle East, an international sporting company, a trademark and intellectual property services firm in Europe, and individuals with indirect ties to an unnamed country in Northeast Asia.

The threat group has leveraged malicious Microsoft Word documents set up to exploit the vulnerability tracked as CVE-2017-0199 in an effort to deliver the first-stage loader PoohMilk and the second-stage downloader Freenki. PoohMilk was spotted delivering the remote administration tool (RAT) N1stAgent.

What makes the FreeMilk campaign interesting is the fact that the attackers delivered the malicious documents by injecting themselves into ongoing email exchanges between the main target and another individual. They hacked into that individual’s email account – likely by stealing their credentials – and identified an in-progress email exchange with the main target.

The attacker then sent the target an email that appeared relevant to the conversation with a malicious document attached to it.

“Unlike phishing or even general spear phishing, this is a highly sophisticated, labor intensive, focused attack,” explained Christopher Budd, Senior Threat Communications Manager at Palo Alto Networks.

“Carrying out a successful conversation hijacking spear phishing attack requires knowing someone that the ultimate target is communicating with, compromising that person’s account, identifying an ongoing email conversation with the ultimate target, crafting an email to appear part of that ongoing email conversation and finally sending it. Even then there’s no guarantee of success since the target may somehow recognize the attack or have sufficient prevention controls in place to prevent the attack from succeeding,” Budd added.

Another interesting aspect of the FreeMilk attacks is that all the malware is designed to only execute successfully if a specific argument is provided, which makes it difficult for automated analysis systems to investigate the threat.

The N1stAgent RAT, which has only been spotted in targeted attacks, was first seen in January 2016 when it was delivered via phishing emails referencing a security patch for the South Korean Hangul word processor developed by Hancom.

Palo Alto Networks has not made any statements regarding attribution, but it’s worth noting that attacks involving Hangul vulnerabilities and documents (HWP) have often been linked to North Korea.

The security firm did point to an August 2016 attack aimed at North Korean defectors in the United Kingdom. The attack, which delivered the Freenki malware, was linked at the time to the North Korean regime.

Researchers also discovered some overlaps in command and control (C&C) infrastructure with a campaign involving the ROKRAT RAT analyzed by Cisco Talos, and an attack analyzed last year by a Singapore-based security firm. However, the connection is not conclusive as the C&C domains were compromised sites and the attacks took place several months apart.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.